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ABSTRACT 


The  U.S.  Nuclear  Regulatory  Commission  (NRC)  is  addressing  the  human  performance  aspects  of 
changes  to  operator  actions  that  are  credited  for  safety,  especially  those  involving  changes  in  the 
licensing  basis  of  the  plant;  e.g.,  use  of  manual  action  in  place  of  an  automatic  action  for  safety 
system  operations.  This  report  proposes  risk-informed  guidance  and  acceptance  criteria  for  the 
review  of  licensee  proposals  addressing  such  modifications.  The  review  method  uses  a  graded, 
risk-informed  approach  and  provides  guidance  for  reviewing  the  human  performance  aspects  of 
changes  to  plant  systems  and  operations.  The  evaluation  method  uses  a  two-phase  approach. 

The  first  phase  is  a  screening  analysis  of  the  plant  modification  and  the  affected  human  actions 
(HAs)  to  determine  their  risk  importance.  Three  risk  regions  are  defined:  high,  medium,  and 
lower  risk  regions.  In  the  second  phase,  HAs  are  reviewed  using  human  factors  engineering 
criteria  to  ensure  the  proposed  HA  can  be  reliably  performed  when  called  upon  in  the  plant.  HAs 
in  the  high-risk  region  receive  a  detailed  review  and  those  in  the  medium-risk  region  receive  a  less 
detailed  review  that  is  commensurate  with  their  risk.  For  HAs  falling  into  the  lower-risk  region, 
no  human  factors  review  is  performed. 


TABLE  OF  CONTENTS 


Page 

ABSTRACT . iii 

EXECUTIVE  SUMMARY .  vii 

ACRONYMS  . xiii 

1  INTRODUCTION . 1 

2  RISK  SCREENING  PROCESS  . 5 

2. 1  Affected  Human  Actions . 5 

2.2  Overview  of  Screening  Process . 5 

2.3  Step  1  -  Change  in  Risk  Due  to  Permanent  Modification . 7 

2.4  Step  1  -  Change  in  Risk  Due  to  Temporary  Modification . 9 

2.5  Step  2  -  Risk  Due  to  the  Affected  Human  Action . 12 

2.6  Generic  Approach  . 12 

2.7  Comparison  of  PRA  Results  to  Acceptance  Guidelines  . 14 

2.8  Level  of  HFE  Review  of  the  Affected  Human  Actions . 15 

3  REGION  I  REVIEW  GUIDANCE . 17 

3.1  General  Deterministic  Review  Criteria  . 17 

3.2  Licensee's  General  Approach  to  HFE  . 19 

3.3  Operating  Experience  Review . 20 

3.4  Functional  Requirements  Analysis  And  Functional  Allocation  . 22 

3.5  Task  Analysis . 24 

3.6  Staffing . 28 

3.7  Probabilistic  Risk  and  Human  Reliability  Analysis  . 29 

3.8  Human-System  Interface  Design . 31 

3.9  Procedure  Design . 33 

3.10  Training  Program  Design . 35 

3.11  Human  Factors  Verification  and  Validation  . 37 

3.12  Human  Performance  Monitoring  Strategy . 44 


TABLE  OF  CONTENTS 

(continued) 

Page 

4  REGION  II  REVIEW  GUIDANCE . 47 

4. 1  General  Deterministic  Review  Criteria . 47 

4.2  Analysis . 48 

4.3  Design  of  HSIs,  Procedures,  and  Training . 49 

4.4  Human  Action  Verification . 50 

5  FINAL  DECISION  ON  ACCEPTANCE  OF  HUMAN  ACTIONS . 51 

6  REFERENCES . 55 

GLOSSARY . 59 

ATTACHMENT  A  Generic  Risk-Important  Human  Actions  .  A-1 

ATTACHMENT  B  Example  Application  of  Screening  Process  . B-1 

ATTACHMENT  C  An  Approach  to  the  Statistical  Analysis  of  Time  Data .  C-1 

LIST  OF  FIGURES 

2. 1  Acceptance  Guidelines  for  Core  Damage  Frequency  (CDF) . 8 

2.2  Acceptance  Guidelines  for  Large  Early  Release  Frequency  (LERF) . 9 

2.3  Guidelines  for  Integrated  Risk  Increase  -  ICCDP . 11 

2.4  Guidelines  for  Integrated  Risk  Increase  -  ICLERP . 11 

LIST  OF  TABLES 

2.1  Placement  of  HAs  in  Risk  Regions  for  Submittals  without  Risk  Information . 14 

2.2  Levels  of  Review  for  Human  Actions . 16 

3.1  Types  of  Task  Analysis  Output . 26 

vi 


EXECUTIVE  SUMMARY 


The  U.  S.  Nuclear  Regulatory  Commission  (NRC)  reviews  changes  in  operator  actions  that  are 
credited  in  plant  safety  analyses.  Changes  in  credited  action  may  result  from  a  variety  of  plant 
activities  such  as:  plant  modifications,  procedure  changes,  equipment  failures,  justifications  for 
continued  operations  (JCOs),  and  identified  discrepancies  in  equipment  performance  or  safety 
analyses.  Relevant  review  considerations  are  described  in  NRC  information  notices  and  generic 
issues.  Information  Notice  (IN)  91-18  (NRC,  1991)  discusses  the  conditions  under  which 
manual  actions  may  be  used  in  place  of  automatic  actions  for  safety  system  operations.  IN  97-78 
(NRC,  1997)  alerts  licensees  to  the  importance  of  considering  the  effects  on  human  performance 
of  such  changes  made  to  plant  safety  systems. 

This  document  proposes  guidance  to  address  the  review  of  risk-important  operator  actions, 
including  emergency  core  cooling  system  (ECCS)  switchover,  and  other  types  of  required 
operator  actions.  A  graded,  risk-informed  approach  is  used  in  conformance  with  Regulatory 
Guide  (RG)  1 . 174  (NRC,  1998)  and  guidance  is  provided  for  reviewing  the  human  performance 
aspects  of  changes  to  plant  systems  and  operations.  Risk  insights  are  used  to  determine  the  level 
of  regulatory  review  the  staff  should  perform.  Human  actions  (HAs)  that  are  considered  more 
risk  significant  receive  a  detailed  review,  while  those  of  less  risk  significance  receive  a  less 
detailed  review.  In  keeping  with  RG  1.174,  this  guidance  does  not  preclude  other  approaches  for 
requesting  changes  to  a  plant’s  licensing  basis  or  other  approaches  for  requesting  changes  in  HAs. 
Rather,  this  approach  to  the  review  of  HAs  is  intended  to  improve  consistency  in  regulatory 
reviews  and  decisions. 

A  two-phase  evaluation  method  is  used.  The  first  phase  is  a  risk  screening  and  analysis  of  the 
licensee’s  identification  of  affected  HAs  and  a  determination  of  their  risk  importance.  The  second 
is  a  human  factors  engineering  (HFE)  review  of  the  affected  HAs.  Each  is  described  below. 

Risk  Screening  and  Process 


A  screening  analysis  is  used  to  locate  the  plant  modification  and  its  associated  HAs  in  risk  space 
using  guidance  similar  to  that  of  RG  1.174.  Essentially,  plant  modifications  and  their  associated 
HAs  are  categorized  into  high,  medium,  and  lower  risk  based  on  the  three  regions  discussed  in  the 
RG.  This  categorization  is  used  to  determine  the  level  of  graded  human  factors  engineering 
(HFE)  review  needed.  Important  steps  of  this  process  are  described  below. 

The  licensee  reviews  a  proposed  plant  change  to  identify  HAs  that  are  new  actions,  modified 
actions,  or  involve  modified  task  demands.  A  10  CFR  50.59  evaluation  is  conducted  by  the 
licensee  for  any  changes  that  affect  the  licensee’s  Final  Safety  Analysis  Report  (FSAR).  This 
evaluation  may  result  in  the  identification  of  activities  associated  with  the  change,  which  require 
NRC  review  and  approval  prior  to  implementation. 
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For  the  risk-informed  review,  the  licensee  would  make  an  initial  screening  risk  calculation  and 
submit  this  to  NRC  with  the  request  for  approval  of  the  change.  If  the  action  is  verified  to  be  in 
the  lower  risk  region,  then  the  licensee’s  change  would  be  permitted  with  no  further  NRC  human 
factors  review.  If  the  action  is  in  the  medium  risk  region  then  a  moderate,  top  level  human 
factors  review  is  performed  by  NRC.  If  the  action  is  in  the  high  risk  region,  then  a  more  detailed 
review  is  in  order,  which  would  include  human  factors,  deterministic,  and  risk  aspects. 

The  risk  screening  calculations  consider  whether  the  proposed  change  is  a  permanent  or  a 
temporary  change.  When  temporary,  the  screening  includes  consideration  of  the  length  of  time 
that  it  will  be  in  place.  Risk  calculations  include;  (1)  the  change  in  risk  or  core  damage 
frequency  (CDF)  due  to  the  modification  (ACDF^joj)  that  includes  the  HA,  (2)  the  change  in  risk 
due  to  the  failure  of  the  new  HA  in  question  (ACDFha),  and  (3)  the  integrated  risk  due  to  the 
modification  over  the  time  that  the  change  or  modification  is  to  be  in  place  (or  the  integrated 
conditional  core  damage  probability  -  ICCDP).  Similar  calculations  would  be  performed  for 
large  early  release  frequency  (LERF).  Uncertainty  with  respect  to  human  actions  is  considered, 
in  that  the  human  error  probability  is  allowed  to  increase  to  1 .0  for  the  actions  under  review.  For 
those  HAs,  where  the  change  is  risk  significant,  the  intent  of  the  detailed  HFE  review  is  to  ensure 
that  they  can  be  successfully  performed  when  required  in  order  to  limit  the  risk  associated  with 
the  failure  of  the  HAs. 

Human  Factors  Engineering  Review 

In  this  phase,  the  HAs  are  reviewed  to  ensure  the  proposed  HA  can  be  reliably  performed  when 
needed.  Again,  the  details  of  the  review  are  commensurate  with  the  risk.  Three  levels  of  risk 
and  NRC  review  are  presented.  The  review  criteria  are  based  on  an  adaptation  of  existing  NRC 
review  guidance  for  human  factors,  as  found  in:  NUREG-0800  (NRC,  1996a),  NUREG-071 1 
(NRC,  1994),  NUREG-0700,  Rev.  1,  (NRC,  1996b),  and  IN  97-78  (NRC,  1998). 

A  Region  I  review  is  used  for  ELAs  in  the  high  risk  category.  Changes  in  Region  I  require  the 
most  stringent  review  and  include  the  following  review  elements: 

•  General  Deterministic  Review  Criteria  (e.g.,  current  regulations  and  defense-in-depth 

considerations,  as  discussed  in  RG  1.174) 

•  HFE  Program  Management 

•  Operating  Experience  Review 

•  Functional  Requirements  Analysis  and  Functional  Allocation 
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•  Staffing 

•  Probabilistic  Risk  and  Human  Reliability  Analysis 

•  Human-System  Interface 

•  Procedures 

•  Training 

•  Human  Factors  Verification  and  Validation 

•  Human  Performance  Monitoring  Strategy  (i.e.,  verifying  that  no  adverse  safety 
degradation  results  from  the  changes  in  operator  actions  and  that  the  conclusions  drawn 
from  the  evaluation  remain  valid  over  time). 

HAs  in  the  medium  risk  category  receive  a  Region  II  review  by  the  NRC.  While  the  guidance 
addresses  similar  topical  areas  as  the  Region  I  review,  the  extent  of  the  staff  review  is 
considerably  less.  The  evaluation  processes  for  this  region  are  less  prescriptive  and  provide 
greater  latitude  to  the  licensee  for  the  collection  and  analysis  of  information  than  in  Region  I. 
The  Region  II  evaluation  process  includes  the  following  four  elements: 

•  General  Deterministic  Review  Criteria  (same  as  the  Region  I  element). 

»  Analysis  -  Reviews  key  considerations  of  the  following  elements  of  NUREG-071 1 : 
Operating  Experience  Review,  Functional  Requirements  Analysis  and  Function 
Allocation,  Task  Analysis,  and  Staffing. 

•  Design  of  Human-System  Interface  (HSIs),  Procedures,  and  Training  -  Reviews  key 
considerations  from  the  following  elements  of  NUREG-071 1 :  HSI  Design,  Procedure 
Development,  and  Training  Prograun  Development. 

•  Human  Action  Verification  -  Reviews  the  licensee’s  demonstration  that  the  HAs  can  be 
successfully  accomplished  with  the  modified  HSI,  procedures,  and  training  (e.g.,  a  walk¬ 
through  evaluation  of  the  operator  action  under  realistic  conditions). 

HAs  in  the  lower  risk  category  receive  only  a  limited  Region  III  review  by  the  NRC.  The  staff 
review  is  limited  to  verification  that  the  action  is  in  fact  in  Region  III.  No  human  factors  review 
is  necessary.  However,  licensees  may  use  the  Region  II  guidance  themselves  to  address  human 
factors  considerations. 
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Final  Decision  on  Acceptance  of  Human  Actions 

Once  the  NRC  completes  its  review  of  a  proposed  change  in  HAs,  a  final  decision  is  made  based 
on  the  information  that  has  been  gathered,  reviewed,  and  evaluated.  The  results  of  the  different 
analyses  are  considered  in  an  integrated  marmer  (i.e.,  the  decision  is  not  driven  solely  by  the 
numerical  results  of  the  risk  assessment).  This  approach  complements  the  NRC's  deterministic 
approach,  supports  the  NRC's  traditional  defense-in-depth  philosophy,  and  takes  into 
consideration  both  traditional  engineering  and  risk  information.  Both  qualitative  and  quantitative 
analyses  and  information  are  used.  The  main  factors  considered  in  the  decision  process  include 
the  following: 

•  Change  in  CDF  -  The  increase  in  CDF  due  to;  the  modification  (ACDF^od)  3itd  failure  of 
the  HA  (ACDFha  )■ 

•  Change  in  LERF  -  The  increase  in  LERF  due  to:  the  modification  (ALERPn^oj)  and  failure 
of  the  HA  (ALERFha  ) 

•  Time  and  Integrated  Risk  -  Risks  integrated  over  the  length  of  time  that  a  temporary 
change  will  be  in  place. 

•  HFE  -  The  degree  of  confidence  that  operators  can  perform  the  actions  required  for  the 
modification  in  question  as  determined  by  the  HFE  review  criteria. 

•  Deterministic  Criteria  -  Satisfaction  of  the  deterministic  review  guidance  provided  in 
Section  3.1  of  the  Region  I  review  guidance  or  Section  4.1  of  the  Region  II  review 
guidance. 

Additional  factors  that  may  also  be  used  to  determine  the  acceptability  of  a  change  include: 

•  The  cumulative  impact  of  previous  changes  and  the  trend  in  CDF  and  LERF  (the 
licensee's  risk  management  approach) 

•  The  impact  of  the  proposed  change  on  operational  complexity,  burden  on  the  operating 
staff,  and  overall  safety  practices 

•  Plant-specific  performance  and  other  factors  (e.g.,  siting  factors,  inspection  findings, 
performance  indicators,  and  operational  events) 

•  The  benefit  of  the  change  in  relation  to  its  CDF/LERF  increase 
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The  practicality  of  accomplishing  the  change  with  a  smaller  CDF/LERF  impact,  and 

The  practicality  of  reducing  CDF/LERP  when  there  is  reason  to  believe  that  the  baseline 
CDF/LERE  are  above  the  guideline  values  (i.e.,  10"*  and  10'^  per  reactor  year). 
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AEOD 

analysis  and  evaluation  of  operational  data 

ATWS 

anticipated  transient  without  scram 

BNL 

Brookhaven  National  Laboratory 

BWR 

boiling  water  reactor 

CBP 

computer-based  procedures 

CCDF 

cumulative  value  of  core  damage  frequency 

CDF 

core  damage  frequency 

CR 

control  room 

DBE 

design  basis  event 

DHR 

decay  heat  removal 

ECCS 

emergency  core  cooling  system 

EOF 

emergency  operating  procedures 

FSAR 

final  safety  analysis  report 

GDC 

general  design  criteria 

GTG 

generic  technical  guidelines 

HA 

human  actions 

HFE 

human  factors  engineering 

HRA 

human  reliability  analysis 

HSI 
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1  INTRODUCTION 


In  Information  Notice  (IN)  91-18  (NRC,  1991),  the  U.S.  Nuclear  Regulatory  Commission  (NRC) 
discussed  the  conditions  under  which  manual  actions  may  be  used  in  place  of  automatic  actions 
for  safety  system  operations.  IN  97-78  (NRC,  1997)  alerted  licensees  to  the  importance  of 
considering  the  effects  on  human  performance  of  such  changes  made  to  plant  safety  systems: 

The  original  design  of  nuclear  power  plant  safety  systems  and  their  ability  to  respond  to  design- 
basis  accidents  are  described  in  licensees'  FSARs  and  were  reviewed  and  approved  by  the  NRC. 

Most  safety  systems  are  designed  to  rely  on  automatic  system  actuation  to  ensure  that  the  safety 
systems  are  capable  of  carrying  out  their  intended  functions.  In  a  few  cases,  limited  operator 
actions,  when  appropriately  justified,  were  approved.  Proposed  changes  that  substitute  manual 
action  for  automatic  system  actuation  or  that  modify  existing  operator  actions,  including  operator 
response  times,  that  were  not  reviewed  and  approved  during  the  original  licensing  review  of  the 
plant  may  raise  the  issue  of  an  unreviewed  safety  question  (USQ).  Such  changes  must  be 
evaluated  under  the  criteria  of  10  CFR  50.59  to  determine  whether  a  USQ  is  involved  and  whether 
NRC’s  review  and  approval  are  required  before  implementation...  In  the  NRC  staffs  experience, 
many  of  the  changes  involving  operator  actions  proposed  by  licensees  do  involve  a  USQ. 

A  definition  of  the  term  “safety-related  operator  action”  (SROA)  is  provided  in  ANSI/ANS-58.8- 
1994: 


A  manual  action  required  by  plant  emergency  procedures  that  is  necessary  to  cause  a  safety- 
related  system  to  perform  its  safety-related  function  during  the  course  of  any  DBE.  The 
successful  performance  of  a  safety-related  operator  action  might  require  that  discrete 
manipulations  be  performed  in  a  specific  order,  (p.4) 

The  guidance  presented  in  this  document  can  be  used  to  address  all  SROAs,  as  well  as  other 
required  operator  actions. 

The  present  document  proposes  the  use  of  a  graded,  risk-informed  approach  in  conformance  with 
Regulatory  Guide  (RG)  1.174  (NRC,  1998)  and  provides  guidance  for  reviewing  the  human 
performance  aspects  of  changes  to  plant  systems  and  operations  (the  technical  basis  for  this 
guidance  is  provided  in  O’Hara,  Higgins,  and  Stubler,  2000).  The  guidance  uses  risk  insights  to 
determine  the  level  of  regulatory  review  the  staff  should  perform.  Human  actions  (HAs)  that  are 
considered  more  risk  significant  receive  a  detailed  review,  while  those  of  less  risk  significance 
receive  a  less  detailed  review  commensurate  with  their  risk. 

The  evaluation  method  uses  a  two-phase  approach.  The  first  phase  is  a  screening  analysis  of  the 
licensee’s  identification  of  affected  HAs  and  a  determination  of  their  risk  importance.  This 
information  is  used  to  locate  the  plant  modification  and  its  associated  HAs  in  risk  space  using 
guidance  similar  to  that  of  RG  1.174.  Essentially,  plant  modifications  and  their  tissociated  HAs 
are  categorized  into  high,  medium,  and  lower  risk  based  on  the  three  regions  discussed  in  the 
RG.  This  categorization  is  used  to  determine  the  level  of  human  factors  engineering  (HFE) 
review  needed. 
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In  the  second  phase,  HAs  are  reviewed.  The  intent  of  this  phase  is  to  ensure  the  proposed  HA 
can  be  reliably  performed  when  needed.  Again,  the  details  of  the  review  are  commensurate  with 
the  risk.  Two  levels  of  NRC  review  are  presented.  A  Region  I  review  is  used  for  HAs  falling 
into  the  high-risk  category  (see  Section  3  of  this  report).  It  examines  the  licensee’s  planning, 
analysis,  design  activities,  and  verification  and  validation,  as  related  to  the  change.  The  review 
criteria  are  based  on  an  adaptation  of  existing  NRC  review  guidance  for  HFE,  as  found  in; 
NUREG-0800  (NRC,  1996a),  NUREG-071 1  (NRC,  1994),  NUREG-0700,  Rev.  1,(NRC, 
1996b),  and  IN  97-78  (NRC,  1998).  The  adaptation  is  based  on  a  consideration  of  the  types  of 
cases  for  which  this  guidance  will  be  used.  This  was  accomplished  by  an  analysis  of  past  cases 
reviewed  by  NRC  (Higgins,  et  al.,  1999).  While  HAs  in  the  high-risk  area  of  Region  I  are 
generally  not  desired,  there  are  certainly  examples  of  such  actions  in  plants  today,  such  as,  the 
pressurized  water  reactor  (PWR)  emergency  core  cooling  system  (ECCS)  switchover.  Also, 
there  may  be  extenuating  circumstances  in  which  the  licensee  can  adequately  justify  a 
modification  to  add  a  Region  I  HA,  e.g.,  if  the  change  is  temporary  or  if  there  are  other  changes 
that  lower  the  core  damage  frequency  (CDF).  Another  important  consideration  is  whether  and 
how  well  the  licensee  has  addressed  the  HFE  aspects  of  the  modification. 

HAs  in  the  medium  risk  category  would  receive  a  Region  II  review  by  the  NRC.  While  the 
guidance  addresses  the  same  topical  areas  as  the  Region  I  review,  the  extent  of  the  staff  review  is 
considerably  less  (see  Section  4  of  this  report). 

Finally,  the  third  region  is  called  lower  risk  to  indicate  that  the  modification  involves  less  risk 
than  those  in  the  high  or  medium  regions.  However,  even  at  this  lower  level  there  is  some 
residual  risk  that  may  be  of  continued  concern,  especially  if  many  of  these  lower  risk  items 
accumulate.  For  HAs  in  the  lower  risk  category  (Region  III),  staff  review  would  be  limited  to 
verification  that  the  action  is,  in  fact,  in  Region  III.  Such  a  verification  can  be  accomplished  by 
reviewing  the  licensee’s  analysis  methods  and  risk  results  that  show  the  placement  of  the  action 
in  that  risk  region.  No  human  factors  review  is  necessary. 

In  keeping  with  RG  1. 1 74,  this  guidance  does  not  preclude  other  approaches  for  requesting 
changes  to  a  plant’s  licensing  basis  or  other  approaches  for  requesting  changes  in  HAs.  Rather, 
this  review  approach  is  intended  to  improve  consistency  in  regulatory  decisions  in  areas  where 
the  results  of  risk  analyses  are  used  to  help  justify  regulatory  action.  RG  1.174  notes  that  the 
principles,  process,  and  approach  discussed  therein  also  provide  useful  guidance  for  the 
application  of  risk  information  to  a  broader  set  of  activities  than  plant-specific  changes  to  a 
plant's  licensing  basis  (i.e.,  generic  activities),  and  licensees  are  encouraged  to  use  this  guidance 
in  that  regard. 
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The  RG  notes  that  the  use  of  probabilistic  risk  assessment  (PRA)  technology  should  be  increased 
in  all  regulatory  matters  to  the  extent  supported  by  the  state  of  the  art  in  PRA  methods  and  data. 
Its  application  should  complement  the  NRCs  deterministic  approach  and  support  the  NRC's 
traditional  defense-in-depth  philosophy.  This  approach  to  the  NRC  review  of  HAs  also  takes  this 
concept  into  consideration. 

RG  1 . 1 74  notes  that  decisions  concerning  proposed  changes  are  expected  to  be  reached  in  an 
integrated  fashion,  considering  traditional  engineering  and  risk  information.  They  may  be  based 
on  qualitative  factors  as  well  as  quantitative  analyses  and  information.  Thus,  the  approach 
presented  herein  also  considers  such  qualitative  factors. 

TTie  Commission  also  noted  on  many  occasions  that  the  regulatory  process  should  become  “risk- 
informed”  as  opposed  to  “risk-based”  (Thadani,  1998,  p.l).  Thus,  the  approaches  described  here 
retain  some  deterministic  aspects,  for  example  dealing  with  defense-in-depth,  meeting  existing 
regulatory  requirements,  and  addressing  the  HFE  aspects  of  the  HAs. 

This  guidance  is  expected  to  contribute  to  satisfying  the  NRC’s  goals  of  (1)  maintaining  safety, 
(2)  increasing  public  confidence,  (3)  increasing  regulatory  efficiency  and  effectiveness,  and  (4) 
reducing  unnecessary  regulatory  burden.  By  implementing  the  guidance  presented  in  this 
document,  the  NRC  will  improve  the  regulatory  process  in  three  areas;  foremost,  through  safety 
decision-making  enhanced  by  the  use  of  PRA  insights;  through  more  efficient  use  of  agency 
resources;  and  through  a  reduction  in  unnecessary  burdens  on  licensees.  The  use  of  risk  insights 
in  licensee  submittals  requesting  changes  in  HAs  will  assist  the  staff  in  the  disposition  of  such 
licensee  proposals. 
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2.1  Affected  Human  Actions 

Changes  to  HAs  may  result  from  a  variety  of  plant  activities  such  as:  plant  modifications, 
procedure  changes,  equipment  failures,  justifications  for  continued  operations  (JCOs),  and 
identified  discrepancies  in  equipment  performance  or  safety  analyses.  The  licensee  should 
evaluate  changes  in  these  various  activities  to  determine  their  effect  on  HAs.  The  following 
changes  to  HAs  may  occur  as  a  result  of  these  plant  activities: 

•  New  actions  -  an  action  that  was  not  previously  performed  by  personnel  such  as 
when  an  action  formerly  performed  by  automation  is  allocated  to  the  operators 

•  Modified  actions  -  a  change  to  the  way  actions  were  previously  performed,  such 
as  through  the  introduction  of  new  task  steps  (e.g.,  due  to  new  system 
components,  a  modification  to  a  component,  or  failed  components),  or  the 
introduction  of  new  control  and  display  devices  for  performing  the  action 

•  Modified  task  demands  -  rather  than  affecting  the  task  steps  themselves,  a  change 
in  the  plant  may  affect  the  task  demands,  such  as  the  amount  of  time  available. 

2.2  Overview  of  Screening  Process 

Any  changes  that  affect  the  licensee’s  Final  Safety  Analysis  Report  (FSAR)  will  require  the 
licensee  to  perform  a  50.59  evaluation.  This  evaluation  may  result  in  the  identification  of 
changes  that  require  NRC  review  and  approval  because  they  result  in  more  than  a  minimal 
increase  in  risk,  as  defined  by  one  of  the  eight  criteria  of  the  new  revised  10  CFR  50.59  (c)  (2). 
The  present  document  provides  guidance  for  the  NRC  review  of  changes  to  HAs  that  exceed  the 
threshold  criteria  of  50.59  (c)  (2).  This  document  also  provides  some  less  detailed  guidance  for 
instances  in  which  the  changed  HAs  do  not  require  an  NRC  review. 

The  intent  of  the  50.59  process  is  to  permit  licensees  to  make  changes  to  their  facilities,  provided 
the  changes  maintain  the  level  of  safety  documented  in  the  original  licensing  basis,  such  as  the 
final  safety  analysis  report  (FSAR),  as  updated.  Historically  the  process  has  been  structured 
eiround  the  licensing  approach  to  design-basis  events.  The  staff  has  recognized  that  the  50.59 
process  needed  improvement  to  become  consistent  with  the  Commission  policy  of  risk-informed 
regulation  (Thadani,  1998).  Thus,  the  NRC  has  developed  various  proposals  to  formally  modify 
the  50.59  process  to  incorporate  risk  insights. 
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The  rule  making  to  revise  the  10  CFR  50.59  requirements  was  published  as  a  final  rule  on 
October  4,  1999  (64  FR  53582).  The  revisions  to  10  CFR  50.59  become  effective  90  days  after 
approval  of  regulatory  guidance.  As  part  of  its  efforts  to  finalize  this  regulatory  guidance,  the 
staff  issued  Draft  Regulatory  Guide  (DG-1095), "  Guidance  for  Implementation  of  10  CFR  50.59 
(Changes,  Tests,  and  Experiments)"  for  public  comment  in  the  Spring  of  2000.  Upon  resolution 
of  the  comments,  the  staff  plans  forward  a  final  regulatory  guide  to  the  Commission  for  approval 
by  September  30,  2000.  The  methods  provided  in  this  document  are  consistent  with  the  intent  of 
the  revised  10  CFR  50.59  and  combine  risk-informed  approaches  with  both  qualitative  and 
quantitative  human  factors  review  methods. 

The  risk  screening  of  this  section  is  a  general  risk-informed  evaluation,  which  is  performed  first 
and  then  may  be  followed,  as  appropriate,  by  the  human  factors  evaluations  of  Section  3  and  4. 
RG  1.174  (in  particular  the  Acceptance  Guidelines  Figures  #3  &  #4)  was  used  to  develop  the 
risk-informed  approach  herein.  Figures  2. 1  and  2.2  below  are  adapted  from  these  Figures  and 
contain  the  screening  guidelines  for  Core  Damage  Frequency  (CDF)  and  Large  Early  Release 
Frequency  (LERF),  respectively.  These  figures  show  a  plant’s  baseline  risk  on  the  x-axis  and 
ACDF  and  ALERF  due  to  a  plant  modification  or  change  on  the  y-axis.  The  figures  contain 
three  regions  on  the  x-y  plane  that  determine  whether  a  change  is  permissible  or  what  other 
actions  may  be  necessary  if  the  change  is  to  be  implemented.  In  the  high-risk  area  of  Region  I, 
the  proposed  changes  would  generally  not  be  permitted.  However,  there  may  be  extenuating 
circumstances  in  which  the  licensee  can  adequately  justify  the  modification.  Another  important 
consideration  is  how  well  the  licensee  addressed  the  HFE  aspects  of  the  modification.  In  the 
medium-risk  area  of  Region  II,  some  changes  are  permitted.  In  the  lower  risk  area  of  Region  III, 
most  changes  would  be  permitted.  In  accordance  with  RG  1.174  methods  (Section  3.3.2),  the 
cumulative  changes  in  risk  from  Regions  I,  II,  and  III  should  be  tracked  by  the  licensee. 

Changes  proposed  by  licensees  may  be  permanent  or  temporary.  This  guidance  addresses  both 
cases. 

There  are  two  ways  to  determine  the  risk  importance  of  HAs:  through  the  use  of  the  plant 
specific  PRA  and  through  the  use  of  generic  information.  Trial  applications  of  these  methods 
have  shown  that  plant  specific  approaches  are  necessary  to  accurately  place  the  affected  HAs  in 
the  risk  regions  of  Figures  2.3  &  2.4.  However,  a  method  of  using  generic  information  is  also 
discussed  below,  in  case  it  is  needed  by  NRC. 

The  licensee  should  determine  the  risk  importance  of  the  proposed  change  in  order  to  place  it  on 
Figures  2. 1  and  2.2  and  to  determine  the  appropriate  level  of  review.  These  may  initially  be 
simplified  or  scoping  risk  calculations.  Any  scoping  type  analyses  should  be  appropriate  to  the 
modification  or  change  in  HA  involved  to  ensure  that  actual  changes  in  risk  are  reflected  in  the 
calculations.  If  the  change  is  in  Region  II  or  Region  III  no  further  detailed  risk  calculations  may 
be  necessary.  However,  if  the  change  is  in  Region  I,  then  the  PRA  and  human  reliability  analysis 
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(HRA)  should  be  requantified  per  Section  3.7  of  the  Region  I  review  guidance  to  address  the 
change.  This  requantification  should  eventually  account  for  all  aspects  of  the  change,  including 
those  that  result  from  the  Region  I  review. 

In  accordance  with  RG  1.174,  licensee  submittals  are  not  necessarily  required  to  include  risk 
information.  If  a  licensee  is  requesting  approval  of  a  modification  involving  changes  in  human 
actions  and  does  not  wish  to  have  a  risk-informed  review,  then  NRC  must  still  decide  what  level 
of  human  factors  review  is  necessary.  The  NRC  may  decide  the  appropriate  level  of  review  on  a 
wholly  deterministic  basis.  Alternatively,  the  NRC  may  use  generic  risk  information  to  make  a 
conservative  determination  as  to  the  appropriate  level  of  review.  This  generic  method  is 
discussed  below  near  the  end  of  this  section  and  is  summarized  in  Table  2.1 .  In  the  event  that  the 
licensee  has  not  submitted  risk  information,  but  there  appear  to  be  unusual  circumstances  that 
could  introduce  significant  and  unanticipated  risks,  the  NRC  reviewer  should  consult  the 
guidance  in  NRC  Regulatory  Issue  Summary  2000-07,  "Use  of  Risk-informed  Decisionmaking 
in  License  Amendment  Reviews"  (NRC,  2000a). 

The  risk  screening  is  designed  as  a  two-step  process.  Step  1  is  used  to  determine  if  there  is  any 
significant  change  in  risk  due  to  the  modification.  If  there  is,  then  one  proceeds  to  Step  2  in 
order  to  determine  the  appropriate  level  of  human  factors  review. 

2.3  Step  1  -  Change  in  Risk  Due  to  Permanent  Modification 

As  noted  above,  changes  proposed  by  licensees  may  be  permanent  or  temporary.  Permanent 
changes  are  discussed  first,  followed  by  temporary  changes.  The  screening  for  temporary 
changes  includes  consideration  of  both  the  time  the  temporary  change  will  be  in  place  as  well  as 
the  change  in  risk.  For  screening  purposes,  all  modifications  should  first  be  passed  through  the 
permanent  changes  section  below.  If  a  temporary  change  has  risk  lower  than  the  permanent 
change  criteria,  then  no  NRC  review  will  be  required.  If  the  change  in  risk  due  to  the  temporary 
change  is  above  the  minimum  criteria  here,  then  proceed  to  the  temporary  section  to  evaluate  the 
integrated  risk.  If  the  change  is  only  in  place  for  a  short  time  period,  it  still  may  not  require  NRC 
review. 

For  the  permanent  changes.  Figures  2.1  and  2.2  below  are  used  for  determining  a  change’s  risk 
importance  with  respect  to  core  damage  frequency  (CDF)  and  large  early  release  frequency 
(LERF).  When  using  a  plant-specific  PRA,  the  licensee  (or  NRC)  should  calculate  the  change  in 
risk  due  to  the  modification  (ACDF^n^j)  that  includes  the  new  human  action,  as  follows: 

ACDF^od  =  [new  CDF  (with  modification  in-place)  -  current  baseline  CDF] 
where:  ACDF^oj  is  the  change  in  Core  Damage  Frequency  due  to  the  modification. 
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The  value  ACDF^ioj  should  be  placed  in  one  of  the  three  Regions  of  Figure  2.1,  Acceptance 
Guidelines  for  Core  Damage  Frequency. 

Similarly  the  change  in  risk  due  to  LERF  is  evaluated  using  Figure  2.2  .  LERF  is  an  important 
consideration  when  the  modification  affects  systems  that  mitigate  offsite  releases  post-core¬ 
damage  ,  such  as  the  containment  systems.  An  experienced  reviewer  can  usually  judge  whether 
the  LERF  evaluation  is  necessary  or  if  the  CDF  evaluation  alone  will  suffice.  This  is  because 
many  changes  will  not  affect  LERF  independently  from  CDF. 

ALERFn,od  =  [new  LERF  (with  modification  in-place)  -  current  baseline  LERF], 

where:  ALERF^i^d  is  the  change  in  Large  Early  Release  Frequency  due  to  the  modification. 

If  both  ACDFnjojand  ALERF^oj  are  in  Region  III,  there  would  be  no  human  factors  review 
specified.  If  either  one  is  in  Region  I  or  II,  then  proceed  to  Step  2  of  the  screening. 
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Figure  2.1  Acceptance  Guidelines  for  Core  Damage  Frequency  (CDF) 

(Adapted  from  Figure  3  of  RG  1.174) 
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Baseline  LERF  (Large  Early  Releases  /  Rx  Year) 

Figure  2.2  Acceptance  Guidelines  for  Large  Early  Release  Frequency  (LERF) 

(Adapted  from  Figure  4  of  RG  1.174) 


2.4  Step  1  -  Change  in  Risk  Due  to  Temporary  Modification 

Changes  associated  with  operator  actions  are  often  temporary  changes,  implemented  to  address 
equipment  or  analysis  problems  until  other,  more  permanent  corrective  actions  can  be  planned 
and  completed.  Sometimes  temporary  changes  involve  substituting  HAs  for  automatic  equipment 
that  is  temporarily  inoperable  and  cannot  be  restored  within  the  time  interval  required  by  the 
plant  technical  specifications.  For  temporary  changes,  the  risk  screening  also  considers  the  time 
interval  that  the  modification  will  be  in  place  and  uses  Figures  2.3  &  2.4  for  determining  risk 
information  and  the  level  of  HFE  review.  In  this  fashion,  the  screening  describes  a  method  to 
quantitatively  evaluate,  in  an  integrated  fashion,  both  the  increase  in  risk  and  the  length  of  time 
that  the  risk  increase  will  be  in  place. 

The  risk  calculated  by  a  PRA  can  be  expressed  in  a  variety  of  ways:  as  an  instantaneous  value 
(often  calculated  for  configuration  risk  management  purposes),  an  average  value  of  CDF  over  a 
reactor  year  (the  most  common  value  that  is  cited),  or  a  cumulative  value  of  core  damage 
frequency  (CCDF)  computed  over  a  defined  time  interval.  The  CCDF  can  be  calculated 
accurately  using  statistical  techniques.  A  simplified  method  of  viewing  the  cumulative  or 
integrated  risk  is  to  multiply  the  CDF  by  the  time  in  question.  This  gives  reasonable  results  for 
the  type  of  screening  review  the  NRC  is  performing  for  risk-important  HAs.  Thus,  equations  for 
integrated  risk  can  be  written  as  follows: 
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Integrated  CDF  Risk  (mod)  =  ACDF^o^  x  time  (mod)  =  ICCDP,  or 
Integrated  LERF  Risk  (mod)  =  ALERFn,od  x  time  (mod)  =  ICLERP, 

where: 


Integrated  Risk  (mod)  is  the  integrated  risk  due  to  the  modification  over  the  time  that  the 

change  or  modification  is  to  be  in  place,  expressed  as  CDF  or  LERF;  and 

time  (mod)  is  the  length  of  time  that  the  change  or  modification  is  to  be  in  place. 

The  value  of  Integrated  CDF  Risk  (mod)  can  be  roughly  interpreted  as  the  change  in  the  expected 
number  of  core  damage  events  in  the  plant  in  question  over  the  time  period  due  to  the 
modification.  This  concept  of  integrated  risk  is  also  used  in  RG  1.177,  where  the  Integrated  CDF 
Risk  is  called  the  incremental  conditional  core  damage  probability  (ICCDP)  and  the  Integrated 
LERF  Risk  (mod)  is  called  the  incremental  conditional  large  early  release  probability  (ICLERP). 

RG  1 . 1 74  is  designed  to  address  changes  to  the  licensing  basis  of  a  plant  and  primarily  addresses 
permanent  changes.  As  such,  Figures  3  and  4  of  the  RG,  that  contain  the  acceptance  guidelines 
for  CDF  and  LERF,  do  not  explicitly  address  time.  However,  RG  1.177  utilizes  the  integrated 
risk  measure  (ICCDP)  similarly  for  evaluating  the  acceptability  of  integrated  risk  over  periods  of 
time  that  equipment  is  out  of  service  (allowed  outage  time  or  AOT).  This  RG  (in  Section  2.4) 
uses  an  acceptability  limit  of  5  E-7  events  per  Reactor-year  for  ICCDP,  since  that  is  considered 
to  be  a  small  risk  increase  for  a  single  Technical  Specification  AOT  change.  Therefore,  this 
value  is  selected  for  the  boundary  between  Regions  II  and  III.  Correspondingly  we  use  5  E-6 
events  per  reactor-year  as  the  boundary  between  Regions  I  and  II.  Similarly  for  ICLERP,  RG 
1.177  uses  5  E-8  events  per  reactor-year  for  the  limit  on  a  small  LERF  increase.  This  value  has 
been  adopted  as  well.  Thus  the  two  boundary  values  for  integrated  risk  increase  for  LERF  are  5 
E-8  and  5E-7  events  per  reactor-year.  The  resulting  new  figures  are  shovra  below  as  Figures  2.3 
and  2.4.  The  Regions  in  the  Figures  can  be  interpreted  similarly  to  the  three  Regions  of  the 
Figures  of  RG  1.174,  namely:  Region  I  -  changes  normally  not  permitted  without  extenuating 
circumstances;  and  Region  II  and  III  -  changes  permitted,  but  track  cumulative  impacts  of 
multiple  changes.  In  addition  to  screening,  the  integrated  risk  information  will  also  be  useful  in 
making  the  final  decision  on  the  implementation  of  a  temporary  modification,  as  discussed  in 
Section  5  herein 

The  above  equations  calculate  the  integrated  risk  due  to  the  modification  over  the  time  and  the 
Figures  contain  screening  guidelines  for  the  integrated  risk.  The  integrated  risk  due  to  the 
ACDF„,od  and  the  ALERF^oj  should  be  plotted  on  Figures  2.3  and  2.4.  The  example  application 
provided  in  Attachment  B  (attachments  can  be  found  at  the  end  of  this  document)  herein  also 
gives  results  for  the  integrated  risk  associated  with  the  example.  Through  the  methods  here  one 
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may  allow  a  larger  value  of  risk  increase,  if  the  time  that  the  modification  will  be  in  place  is 
relatively  short.  Conversely,  longer  periods  of  time  for  changes  entail  greater  integrated  risk. 
Similar  to  the  section  on  permanent  changes  above,  if  both  the  Integrated  CDF  Risk  (mod)  and 
the  Integrated  LERF  Risk  (mod)  are  in  Region  III,  there  would  be  no  human  factors  review 
specified.  If  either  one  is  in  Region  I  or  II,  then  proceed  to  Step  2  of  the  screening. 
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2.5  Step  2  -  Risk  Due  to  the  Affected  Human  Action 

This  step  is  used  when  the  modification  involves  risk  significant  changes  (as  shown  in  Step  1). 
The  step  evaluates  the  risk  significance  of  the  HA  not  being  performed  correctly.  For  this  step, 
utilize  the  ACDFhaj  which  is  the  change  in  risk  due  to  the  failure  of  the  new  HA  (ACDFha)-  It  is 
defined  as: 

ACDFha  (new  HA)  =  [CDF  with  new  HA  failed  -  new  CDF  (with  mod.  in-place)]. 

Use  the  value  ACDFha  to  place  the  modification  into  one  of  the  three  Regions  of  Figure  2. 1 .  The 
Risk  Achievement  Worth  (RAW)  importance  measure,  is  discussed  in  NUREG/CR-3385  (Vesely, 
et  al.,  1983).  For  this  application  the  interval  method  of  calculating  the  RAW  was  selected. 

While  the  ratio  method  is  more  common  now,  the  interval  method  gives  equivalent  results. 
Further,  use  of  the  interval  method  allows  the  use  of  the  same  Figure  2.1  and  the  same  acceptance 
criteria  that  separate  the  three  Regions  of  the  figure  for  both  Step  1  and  Step  2  of  this 
methodology.  This  is  important  since  the  figures  and  values  dividing  the  Regions  come  from  RG 
1.174. 

A  licensee  may  want  to  perform  a  one-time,  plant-specific  risk  assessment  to  determine  their  risk 
significant  HAs,  and  to  place  them  in  the  regions  of  the  figures.  Many  licensees  have  already 
done  so  in  their  Individual  Plant  Examinations  (IPEs).  When  a  particular  modification  affecting 
HAs  is  proposed,  the  licensees  can  perform  a  plant-specific  and  human-action-specific  risk 
evaluation  for  that  modification  to  ensure  proper  placement  on  the  Figures. 

Calculations  for  LERF  for  use  in  Figure  2.2  would  be  done  similarly  to  the  above  calculations  for 
CDF  and  Figure  2.1.  If  the  calculation  and  placement  on  the  Figures  is  performed  by  the  licensee, 
the  results  and  placement  in  Figures  2. 1  and  2.2  should  be  submitted  to  the  NRC.  The  results  of 
Step  2  of  the  screening  process  are  used  in  Section  2.8  below  to  determine  the  appropriate  level  of 
HFE  review  by  the  NRC. 

2.6  Generic  Approach 

A  generic  approach  may  be  needed  if  the  licensee  has  chosen  not  to  submit  risk  information.  An 
approximation  to  the  risk  importance  of  the  HA  can  be  determined  generically  using  Tables  A.  1 
and  A.2  in  Attachment  A,  for  boiling  water  reactors  (BWRs)  and  pressurized  water  reactors 
(PWRs)  respectively.  These  HAs  were  identified  from  the  risk-informed  assessment  process 
(Azarm,  Higgins,  and  Chu,  1999)  and  from  NUREG-1560.  The  HAs  are  organized  into  two 
groups.  Group  1  contains  the  most  risk-important  HAs  in  the  plant  Risk  Information  Matrices 
(RIMs)  used  for  the  pilot  risk-informed  assessment  process.  RAW  calculations  on  Group  1  HAs 
would  typically  place  them  in  Region  I  of  Figure  2.1.  Group  2  HAs  are  considered  to  be 
“potentially”  risk-important.  That  is,  they  would  appear  in  Region  I  for  some,  but  not  all,  plants. 
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Typically,  they  impact  risk,  but  not  as  significantly  as  the  Group  1  actions.  However,  at  some 
plants  they  may  be  quite  risk-important.  They  are  included  in  the  second  section  of  the  plant 
RIMs  as  potentially  important  HAs. 

These  two  groups  of  generic  risk-important  HAs  can  be  used  by  the  NRC  and  by  licensees  as  a 
quality  check  on  the  results  of  the  plant  specific  calculations.  They  can  also  be  used  to  assist  the 
NRC  reviewer  in  determining  an  estimate  of  the  risk  importance  of  human  actions  associated  with 
a  modification,  if  the  licensee  has  chosen  not  to  make  a  risk-informed  submittal.  This  will  then 
assist  the  NRC  reviewer  in  determining  the  appropriate  level  of  human  factors  review  for  such 
situations. 

As  noted  above,  RAW  calculations  for  Group  1  actions  themselves  will  typically  fall  into  Region 
I.  However,  minor  changes  to  a  human  action  may  not  significantly  alter  the  risk  associated  with 
the  action.  If  so,  the  technical  basis  for  this  result  should  be  carefully  understood  and 
documented.  If  no  risk  submittal  is  made  and  the  plant  modification  involves  more  than  a  minor 
change  to  a  Group  1  action,  then  the  NRC  reviewer  should  assume  that  it  is  a  Region  I  change. 
Changes  related  to  Group  2  actions  typically  fall  into  Regions  I  or  II.  Thus,  if  such  a  change  is 
judged  to  be  in  Region  III,  the  reasons  should  also  be  explained.  If  no  risk  submittal  is  made  and 
the  plant  modification  involves  more  than  a  minor  change  to  a  Group  2  action,  then  the  NRC 
reviewer  should  conservatively  assume  that  it  is  a  Region  I  change.  It  is  important  to  note  that,  on 
a  plant  specific  basis,  actions  not  listed  in  Tables  A.l  and  A. 2  may  also  be  risk-significant,  and 
can  fall  into  either  Region  I  or  II.  That  is,  one  cannot  conclude  that  if  an  action  is  not  listed  on 
either  table,  it  is  not  important  to  risk.  Thus,  if  no  risk  submittal  is  made  and  the  plant 
modification  involves  an  action  that  is  not  in  Group  1  or  2,  then  an  additional  step  is  taken  to 
determine  whether  the  action  involves  risk-important  systems  for  the  plant  in  question.  The  risk- 
important  systems  can  be  obtained  from  the  plant’s  individual  plant  examination  (IPE)  or  from  the 
plant-specific  Risk-Informed  Inspection  Notebook  that  have  been  completed  by  the  NRC.  If  the 
action  involves  a  risk-important  system,  and  there  are  more  than  minor  changes  involved,  then  the 
HA  is  considered  in  Region  I.  Similarly,  if  it  involves  a  system  of  moderate  importance,  the  HA 
is  considered  in  Region  II.  If  the  modification  involves  only  systems  with  lower  risk-importance, 
it  is  considered  as  a  Region  III  HA.  This  logic  is  summarized  in  Table  2.1. 

HAs  that  have  no  impact  on  risk  would  be  outside  of  the  area  depicted  in  the  figures.  This  can  be 
considered  as  below  Region  III.  Changes  in  this  area  would  be  permitted  with  normal  licensee 
modification  controls. 
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Table  2.1  Placement  of  HAs  in  Risk  Regions  for  Submittals  without  Risk  Information 


Generic  Groups 
that  contain  the  HA 

Systems  involving  the  HA 

Risk  Region 
to  place  the  HA 

Group  1 

NA 

I 

1  Group  2 

NA 

1 

f 

Neither  Group 

Risk-important 

1 

Neither  Group 

Moderate  risk  importance 

II 

Neither  Group 

Lower  risk  importance 

III 

2.7  Comparison  of  PRA  Results  to  Acceptance  Guidelines 

This  section  provides  guidance  on  comparing  the  results  of  the  PRA  risk  calculations  for  Steps  1 
and  2  with  the  risk  guidelines  that  separate  the  Regions  in  Figures  2.1  and  2.2.  Also,  in  the 
context  of  integrated  decision-making,  as  discussed  in  Section  5,  the  guidelines  should  not  be 
interpreted  as  being  overly  prescriptive.  They  are  intended  to  provide  an  indication,  in  numerical 
terms,  of  what  is  considered  acceptable.  As  such,  the  numerical  values  associated  with  defining 
the  regions  in  the  Figures  are  approximate  values  that  provide  an  indication  of  the  changes  that  are 
generally  acceptable.  An  example  application  of  the  methodology  is  provided  in  Attachment  B 
herein.  Furthermore,  the  state  of  knowledge  type  (epistemic)  of  uncertainties  associated  with 
PRA  calculations  preclude  a  definitive  decision  with  respect  to  which  region  the  application 
belongs  in  based  purely  on  the  numerical  results. 

The  intent  of  comparing  the  PRA  results  with  the  acceptance  guidelines  is  to  demonstrate  (with 
reasonable  assurance)  that  proposed  increases  in  CDF  or  risk  are  generally  small.  This  decision 
should  be  based  on  a  full  understanding  of  the  contributors  to  the  PRA  results  and  the  impacts  of 
the  uncertainties,  both  those  that  are  explicitly  accounted  for  in  the  results  and  those  that  are  not. 
RG  1.174,  Section  2.2.5  contains  a  discussion  of  the  various  types  of  uncertainty  that  may  need  to 
be  addressed.  This  is  a  somewhat  subjective  process,  and  the  reasoning  behind  the  decisions 
should  be  well  documented.  Guidance  on  considerations  is  also  contained  in  Section  2.2.5  of  the 
RG. 
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2-8  Level  of  HFE  Review  of  the  Affected  Human  Actions 

Once  the  changes  in  risk  and  the  actual  risk  associated  with  the  HAs  in  question  are  placed  in  the 
proper  region  of  the  risk  figures,  the  level  of  review  to  be  performed  is  determined.  The  review 
guidance  is  arranged  into  two  levels  so  that  the  most  risk  significant  changes  related  to  HAs 
(Region  I)  will  receive  a  more  thorough  review  and  so  that  the  less  risk  significant  changes 
(Region  II)  can  receive  a  more  efficient  review  appropriate  to  their  level  of  risk.  Changes  in  risk 
associated  with  HAs  that  fall  into  Region  III  will  only  be  reviewed  to  verify  that  they  have  been 
properly  classified  in  Region  III  and  that  they  meet  current  regulations. 

Based  on  the  licensee’s  50.59  analysis,  if  the  modification  affecting  the  HA  meets  any  of  the  eight 
criteria  of  50.59  (c)  (2),  then  it  is  submitted  to  the  NRC  for  review  and  approval.  Licensees  may 
use  the  screening  techniques  of  this  document  to  assist  them  in  their  50.59  screening  and 
evaluation.  The  NRC  reviewer  should  use  the  results  of  Step  2  above  to  place  the  changes 
associated  with  the  HA  into  the  regions  of  Figures  2.1  and  2.2  to  determine  the  level  of  required 
review  (see  Table  2.2). 

Region  I  -  Using  the  risk-informed  approach,  a  proposed  change  in  this  region  would 
generally  not  be  permitted.  However,  there  may  be  extenuating  circumstances  in  which 
the  licensee  justifies  the  modification,  e.g.,  if  the  change  is  temporary  and  avoids  other 
more  serious  problems;  or  there  are  other  corresponding  changes  that  lower  the  CDF.  If 
the  NRC  review  in  this  Region  is  to  proceed,  it  requires  more  substantial  review  by  NRC 
than  the  other  regions.  Therefore,  these  reviews  would  use  the  more  detailed  Region  I 
guidance,  in  Section  3,  which  includes  a  review  of  planning,  analyses,  design,  and 
verification  and  validation  activities  (such  as  simulator  trials),  and  a  performance 
monitoring  strategy. 

Region  II  -  Changes  in  this  region  are  evaluated,  but  require  a  less  detailed  Region  II 
review.  The  guidance  is  contained  in  Section  4. 

Region  III  -  The  licensee  should  document  and  the  NRC  may  verify  that  the  changes  in 
risk  associated  with  HA  is  correctly  located  in  Region  III.  The  NRC  may  also  verify  that 
current  regulations  are  still  being  met  with  the  change  in  place  (per  Criterion  1  of  Section 
3.1,  "General  Deterministic  Review  Criteria  ").  Based  on  the  location  in  Region  III,  the 
modification  would  be  accepted  based  on  the  low  risk,  without  NRC  review  of  its  HFE 
aspects.  Licensees  should  be  encouraged  to  utilize  the  Region  II  guidance  contained  in 
Section  4  to  ensure  that  the  HAs  can  be  accomplished  as  assumed.  If  the  change  resulted 
in  certain  of  the  current  regulations  not  being  met,  then  the  NRC  may  decide  to  elevate  the 
review  of  the  item  to  a  Region  II  review.  Note  that  even  though  these  HAs  may  have  met 
the  50.59  requirements  for  submittal  to  NRC,  verification  of  their  low  risk  by  the  NRC 
permits  acceptance  without  a  detailed  NRC  HFE  review. 
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Table  2.2  Levels  of  Review  for  Human  Actions 


Risk  Significance  of  HA 

NRC  Review  Actions 

Region  I 

-  Change  generally  not  permitted. 

-  Licensee  may  want  to  make  case  due  to  extenuating  circumstances,  such  as  a 
temporary  modification. 

-  Requires  the  full  Region  I  HFE  review. 

Region  II 

-  Region  II  HFE  review 

Region  III 

Change  permitted  without  detailed  NRC  review. 

-  Verify  change  is  in  Region  III  and  meets  current  regulations. 

-  Region  II  HFE  review  guidance  is  available  for  licensee  use. 
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The  guidance  presented  in  this  section  was  derived  mainly  from  RG  1.174,  NUREG-071 1,  and 
NUREG-0700,  Rev  1.  These  documents  can  be  consulted  for  additional  information. 

The  review  guidance  is  specified  in  a  broad  and  generic  form  to  accommodate  the  broad  diversity 
of  plant  and  HA  modifications  that  the  guidance  must  address.  Thus,  the  guidance  must  be 
tailored  to  the  requirements  of  each  specific  review.  For  any  specific  review,  one  or  more  of  the 
review  elements  presented  below  may  not  be  applicable. 

3.1  General  Deterministic  Review  Criteria 

Objective 

The  objective  of  this  section  is  to  provide  adequate  assurance  that  deterministic  aspects  of  design, 
as  discussed  in  RG  1.174,  have  been  appropriately  considered  by  the  licensee.  Deterministic 
aspects  include:  ensuring  the  change  meets  current  regulations,  and  does  not  compromise 
defense-in-depth. 

Scope 

The  deterministic  review  criteria  apply  to  all  modifications  associated  with  Region  I  HAs. 

Criteria 

(1)  The  licensee  should  provide  adequate  assurance  that  the  change  meets  current  regulations, 
except  where  specific  exemptions  are  requested  under  10  CFR  50.12  or  10  CFR  2.802. 

For  example,  a  change  might  be  identified  as  risk  significance  when  using  a  standard  PRA 
to  screen  for  risk.  However,  an  exemption  might  be  granted  under  one  or  more  of  the 
following  regulations:  10  CFR  20,  10  CFR  50  Appendix  A,  Criterion  19,  and  10  CFR  50 
Appendices  C  through  R. 

(2)  The  licensee  should  provide  adequate  assurance  that  the  change  does  not  compromise 
defense-in-depth.  Defense-in-depth  is  one  of  the  fundamental  principles  upon  which  the 
plant  was  designed  and  built.  Defense- in-depth  uses  multiple  means  to  accomplish  safety 
functions  and  to  prevent  the  release  of  radioactive  materials.  Defense-in-depth  is 
important  in  accounting  for  uncertainties  in  equipment  and  human  performance,  and  for 
ensuring  some  protection  remains  even  in  the  face  of  significant  breakdowns  in  particular 
areas.  Defense-in-depth  may  be  changed  but  should  overall  be  maintained.  Important 
aspects  of  defense-in-depth  include: 
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A  reasonable  balance  is  preserved  among  prevention  of  core  damage,  prevention  of 
containment  failure,  and  consequence  mitigation. 

There  is  no  over-reliance  on  programmatic  activities  to  compensate  for  weaknesses 
in  plant  design.  This  may  be  pertinent  to  changes  in  credited  operator  actions. 

System  redundancy,  independence,  and  diversity  are  preserved  commensurate  with 
the  expected  frequency,  consequences  of  challenges  to  the  system,  and 
uncertainties  (e.g.,  no  risk  outliers). 

Defenses  against  potential  common  cause  failures  are  preserved,  and  the  potential 
for  the  introduction  of  new  common  cause  failure  mechanisms  is  assessed. 

Caution  should  be  exercised  in  crediting  new  operator  actions  to  provide  adequate 
assurance  that  the  possibility  of  significant  common  cause  operator  errors  are  not 
created. 

Independence  of  barriers  is  not  degraded. 

Defenses  against  human  errors  are  preserved.  One  way  to  help  ensure  this  for  risk- 
important  HAs  is  to  establish  procedures  for  a  second  check  or  independent 
verification  that  such  important  actions  have  been  properly  executed. 

The  intent  of  the  General  Design  Criteria  (GDC)  in  Appendix  A  to  10  CFR  Part  50 
is  maintained.  GDCs  that  may  be  relevant  are  3  -  Fire  Protection,  13  - 
Instrumentation  and  Control,  17  -  Electric  Power  Systems,  19  -  Control  Room,  34  - 
Residual  Heat  Removal,  35  -  ECCS,  38  -  Containment  Heat  Removal,  and  44  - 
Cooling  Water. 

Safety  margins  often  used  in  deterministic  analyses  to  account  for  uncertainty  and 
provide  an  added  margin  to  provide  adequate  assurance  that  the  various  limits  or 
criteria  important  to  safety  are  not  violated.  Such  safety  margins  are  typically  not 
related  to  HAs,  but  the  reviewer  should  take  note  to  see  if  there  are  any  that  may 
apply  to  the  particular  case  under  review.  It  is  also  possible  to  add  a  safety  margin 
(if  desired)  to  the  HA  by  requiring  a  demonstration  that  the  action  can  be 
performed  within  some  time  interval  (or  margin)  that  is  less  than  the  time  required 
by  the  analysis. 
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3.2  Licensee’s  General  Approach  to  HFE 
Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  the  licensee  has  made  a 
commitment  to  address  the  human  performance  aspects  of  the  HA  to  ensure  that  the  action  can  be 
reliably  accomplished. 

Scope 

This  review  addresses  the  licensee’s  approach  to  addressing  HFE  considerations  in  the 
development  and  implementation  of  the  proposed  changes  in  the  HAs. 

Criteria 

The  criteria  for  this  review  are  identified  below. 

(1 )  Licensee  personnel  involved  in  designing  and  implementing  the  changes  in  HAs  should 
include  the  expertise,  such  as  operations,  human  factors,  training,  and  system  design, 
necessary  to  fully  analyze  HAs  and  to  design  the  human-system  interfaces  (HSIs), 
procedures,  and  training  necessary  to  provide  adequate  assurance  that  the  actions  can  be 
reliably  performed. 

(2)  The  licensee  should  commit  to  the  proper  development,  execution,  oversight,  and 
documentation  of  the  modifications  to  the  HSI,  procedures,  and  training  to  provide 
adequate  assurance  that  the  actions  can  be  reliably  performed. 

(3)  The  licensee  should  commit  to  a  structured,  top-down  systems 
human  performance  considerations  associated  with  the  change 
implementing  necessary  modifications  to  the  HSI,  procedures, 
should  include  the  following: 

•  Operating  experience  review 

•  Functional  requirements  analysis  and  allocation 

•  Task  analysis 

•  Staffing  analysis 

•  Probabilistic  risk  assessment  and  human  reliability  analysis 


approach  to  analyzing 
and  developing  and 
and  training.  The  approach 
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•  HSI  design 

•  Procedure  design 

•  Training  design 

•  Human  factors  verification  and  validation 

(4)  Plant  personnel  who  are  affected  by  the  HA  should  be  identified,  including  licensed 
control  room  operators  as  defined  in  10  CFR  Part  55  and  the  following  categories  of 
personnel  defined  by  10  CFR  50.120:  nonlicensed  operators,  shift  supervisor,  shift 
technical  advisor,  instrument  and  control  technician,  electrical  maintenance  personnel, 
mechanical  maintenance  personnel,  radiological  protection  technician,  chemistry 
technician,  and  engineering  support  personnel. 

(5)  The  applicable  components  of  the  HSI,  procedures,  and  training  programs  for 
accomplishing  the  HA,  should  be  identified. 

3.3  Operating  Experience  Review 

Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  the  licensee  has  identified  and 
analyzed  HFE-related  problems  and  issues  encountered  previously  in  designs  and  human  tasks 
that  are  similar  to  the  plarmed  modification  so  that  issues  that  could  potentially  hinder  human 
performance  can  be  addressed. 

Scope 

The  operating  experience  review  (OER)  encompasses  all  proposed  changes  to  HAs  and  addresses 
the  operating  histories  of  plant  systems,  HAs,  procedures,  and  HSI  technologies.  The  scope  of  the 
HSI  technology  review  can  be  graded  as  follows: 

(1)  If  existing  HSI  components  are  to  be  used  without  modification  and  if  they  are  currently 
used  for  safety-related  functions  within  the  plant,  then  a  review  of  the  operating 
experience  with  those  HSI  components  is  not  necessary. 

(2)  If  existing  HSI  components  are  to  be  used  without  modification  but  they  are  not  currently 
used  for  safety-related  functions  then  the  operating  experience  with  those  HSI  components 
should  be  reviewed. 
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(3)  If  new  HSI  components  are  to  be  installed  or  the  existing  HSI  is  to  be  modified  using  HSI 
technologies  that  have  not  been  previously  used  in  the  plant  for  safety-related  functions 
then  the  operating  experience  with  those  HSI  components  should  be  reviewed. 

Criteria 

The  criteria  for  revie v/ing  the  licensee’s  OER  are  identified  below. 

(1)  Plant  Systems  -  The  licensee’s  review  should  include  information  pertaining  to  (1)  the 
operation  and  maintenance  of  the  plant  system  prior  to  the  change  in  the  HAs,  and  (2)  the 
operation  and  maintenance  of  similar  systems  within  the  same  plant  or  at  other  plants. 

The  operating  experience  should  include  the  performance  of  the  plant  systems  during 
surveillance  and  maintenance  tests,  especially  for  plant  systems  that  are  not  used  during 
normal  plant  operations. 

(2)  Human  Actions  -  The  licensee’s  review  should  identify  performance  issues  associated  with 
procedural  guidance,  training,  and  HAs  for  the  system  prior  to  the  proposed  change  to  the 
actions,  including  the  types  of  actions  performed,  the  procedures  available  for  those 
actions,  and  the  adequacy  of  those  procedures.  In  addition,  the  OER  should  examine  the 
types  of  HAs,  procedural  guidance,  and  training  provided  for  similar  implementations 
within  the  same  plant  or  at  other  plants. 

(3)  HSI  Technologies  -  The  licensee’s  review  should  identify  human  performance  issues 
associated  with  HSI  technologies  for  the  proposed  changes  in  the  HAs. 

(4)  Recognized  Industry  HFE  Issues  -  The  basis  for  the  OER  should  include: 

•  Unresolved  safety  issues/generic  safety  issues 

•  Three-Mile  Island  (TMI)  issues 

•  NRC  generic  letters  and  information  notices 

•  Office  for  Analysis  and  Evaluation  of  Operational  Data  (AEOD)  Issues 

•  Low  power  and  shutdovm  operations 

•  Operating  plant  event  reports 

NUREG/CR-6400  (Higgins  and  Nasta,  1996)  reviews  these  operating  experience  topics 
and  may  provide  issues  relevant  to  the  proposed  changes  in  the  HAs. 
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(5)  Issues  Identified  by  Plant  Personnel  -Interviews  and  surveys  with  personnel  should  be 
conducted  to  determine  operating  experience  related  to  the  plant  system  before  the  change 
in  the  HAs.  Discussions  of  plant  operations  and  HFE/HSI  design  should  be  limited  to 
topics  relevant  to  the  change  in  the  HA. 

(6)  Development  of  Design  Input  -  Issues  identified  by  the  operating  experience  review  should 
be  documented  as  input  to  the  design  of  modifications  to  the  HSI,  procedures,  and 
training,  and  tracked  to  provide  assurance  that  they  are  addressed. 

3.4  Functional  Requirements  Analysis  And  Functional  Allocation 

Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  the  licensee  has: 

(1)  Defined  any  changes  in  the  plant's  safety  functions  (functional  requirements  analysis),  and 

(2)  Provided  evidence  that  the  allocation  of  functions  between  humans  and  automatic  systems 
provides  an  acceptable  role  for  plant  personnel;  i.e.,  the  allocations  take  advantage  of 
human  strengths  and  avoid  functions  that  would  be  negatively  affected  by  human 
limitations  (functional  allocation). 

Scope 

This  review  addresses  all  plant  functions  affected  by  the  change  in  operator  actions  including 
changes  to  the  functions  and  to  their  allocation  between  persormel  and  automatic  systems.  The 
level  of  detail  in  the  functional  requirements  and  allocation  analyses  may  be  graded  based  on:  (1) 
the  degree  of  difference  between  the  HAs  before  and  after  the  change;  (2)  the  extent  to  which 
difficulties  occurred  in  prior  operations,  as  identified  through  the  OER;  and  (3)  the  risk  level 
associated  with  the  change.  The  following  additional  considerations  apply: 

(1)  If  new  safety  functions  are  introduced  or  existing  ones  changed,  then  reviews  of  both  the 
functional  requirements  analysis  and  function  allocation  analysis  should  be  conducted. 
(This  situation  is  not  likely  to  occur  since  it  would  involve  a  significant  deviation  from  the 
design  basis  that  was  originally  approved  by  the  NRC.) 

(2)  If  the  function  allocation  is  changed,  or  if  the  risk  level  is  well  into  Region  I  (as 
determined  by  the  PRA/HRA  review  criteria)  then  a  review  of  the  function  allocation 
should  be  conducted.  (Many  cases  will  have  changed  function  allocations.  An  example 
may  be  the  reallocation  of  responsibility  from  an  automatic  system  to  persormel  for  the 
initiation,  on-going  control,  or  termination  of  a  ftmction.) 
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(3)  If  the  function  allocation  is  not  changed  then  no  function  allocation  analysis  is  needed  and 
the  licensee  should  proceed  with  task  analysis.  (An  example  may  be  a  manual  action 
performed  for  a  safety-related  function  that  is  now  required  under  a  new  scenario.  That  is, 
the  function  is  the  same  but  the  initiating  circumstances  are  different.) 

Review  Criteria 

The  criteria  for  reviewing  the  licensee’s  functional  requirements  analysis  and  functional  allocation 
are  identified  below. 

(1 )  New  or  chamged  safety  functions  should  be  described,  including  comparisons  before  and 
after  the  proposed  change.  The  set  of  plant  system  configurations  or  success  paths  that  are 
responsible  for  or  capable  of  carrying  out  the  safety  function  should  be  clearly  defined  and 
the  ones  affected  by  the  proposed  changes  in  the  HAs  should  be  identified.  This 
functional  decomposition  should  address: 

•  High-level  functions  [e.g.,  maintain  reactor  coolant  system  (RCS)  integrity]  and 
critical  safety  functions  (e.g.,  maintain  RCS  pressure  control) 

•  Specific  plamt  systems  amd  components 

(2)  For  the  functional  allocation  amalysis,  a  description  should  be  provided  for  each  of  the 
high-level  functions  allocated  to  the  human  as  a  result  of  the  proposed  change.  The 
description  should  include  the  following: 

•  Purpose  of  the  high-level  function 

•  Conditions  under  which  the  high-level  fimction  is  required 

•  Parameters  that  indicate  that  the  high-level  function  is  available 

•  Parameters  that  indicate  the  high-level  function  is  operating  (e.g.,  flow  indication) 

•  Parameters  that  indicate  the  high-level  function  is  achieving  its  purpose  (e.g., 
reactor  vessel  level  returning  to  normal) 

•  Parameters  that  indicate  that  operation  of  the  high-level  fimction  can  or  should  be 
terminated 

Note  that  parameters  may  be  described  qualitatively  (e.g.,  high  or  low),  rather  than  as 
specific  numerical  values  or  setpoints. 


23 


3  REG  ION  I  REVIEW  GUIDANCE 

(3)  The  technical  basis  for  the  proposed  modifications  to  the  functions  (e.g.,  new  functions 
and  changes  in  what  a  function  does),  compared  to  the  situation  before  the  change  in  the 
HAs,  should  be  documented. 

(4)  The  technical  basis  for  all  relevant  functional  allocations  should  be  documented.  The 
basis  for  function  allocations  can  be  successful  operating  experience.  This  analysis  should 
reflect  (a)  sensitivity,  precision,  time,  and  safety-related  requirements;  (b)  required 
reliability;  and  (c)  the  number  and  level  of  skills  of  personnel  required  to  operate  and 
maintain  the  system. 

(5)  The  allocation  analysis  should  consider  not  only  the  personnel  role  of  initiating  manual 
actions  but  also  responsibilities  concerning  automatic  functions,  including  monitoring  the 
status  of  automatic  functions  to  detect  system  failures. 

(6)  The  demands  associated  with  the  proposed  allocation  of  functions  should  be  considered  in 
terms  of  all  other  human  functions  that  may  impose  concurrent  demands  upon  the 
persormel.  The  overall  level  of  workload  should  be  considered  when  allocating  functions 
to  the  persormel.  The  assessment  of  workload  may  change  as  the  design  matures.  Early  in 
the  process,  workload  may  be  assessed  based  on  information  obtained  from  a  review  of 
operating  experience.  Once  task  analysis  information  is  available,  workload  can  be 
examined  on  the  basis  of  the  task  characteristics,  such  as  how  many  tasks  have  to  be 
performed  and  their  characteristics,  such  as  how  quickly  they  need  to  be  performed  and 
how  precise  the  actions  have  to  be.  Once  more  detailed  design  information  becomes 
available,  workload  can  be  assessed  based  on  the  subjective  evaluation  of  subject  matter 
experts,  such  as  operations  persormel.  When  a  design  is  completed  and  a  mockup, 
simulator,  or  actual  equipment  is  available,  data  on  workload  can  be  collected  through 
trials  where  the  HAs  are  actually  performed  (see  O'Hara,  et  al.,  1997  for  a  discussion  of 
workload  measurement). 

3.5  Task  Analysis 

Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  the  licensee's  task  analysis 
identifies  the  behavioral  requirements  of  the  tasks  personnel  are  required  to  perform.  The  task 
analysis  should  form  the  basis  for  specifying  the  requirements  for  the  HSI,  procedures,  and 
training  based  on  the  tasks  persormel  will  perform.  The  results  are  also  used  as  basic  information 
for  developing  staffing  and  communication  requirements  of  the  plant 
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Scope 

The  task  analysis  addresses  HAs  in  their  entirety,  including  all  pertinent  plant  conditions,  . 
situational  factors,  and  performance  shaping  factors.  While  the  primary  focus  is  operator  tasks, 
tasks  performed  by  other  personnel  (e.g.,  maintenance,  test,  inspection,  and  surveillance)  that 
occur  at  the  same  time  as  the  HAs  and  directly  influence  the  actions  are  included  in  the  task 
analysis. 

Criteria 

The  criteria  for  reviewing  the  licensee’s  task  analysis  are  identified  below. 

(1)  The  licensee  should  identify  the  information  that  is  required  to  inform  persormel  that  the 
HA  is  necessary,  that  the  HA  has  been  correctly  performed,  and  that  the  HA  can  be 
terminated. 

(2)  Task  analyses  should  provide  detailed  descriptions  of  what  the  persormel  must  do.  The 
licensee  should  identify  how  human  tasks  or  performance  requirements  are  being  changed. 
All  types  of  information  from  Table  3.1  that  are  relevant  to  the  HA  should  be  addressed. 

(3)  The  task  analysis  should  consider  all  human  tasks  including  monitoring  of  automated 
system(s)  and  performing  backup  actions  if  the  system  fails. 

(4)  The  task  analysis  should  address  the  full  range  of  plant  conditions  and  situational  factors, 
and  performance  shaping  factors  anticipated  to  influence  human  performance.  The  range 
of  plant  operating  modes  relevant  to  the  HAs  (e.g.,  abnormal  and  emergency  operations, 
transient  conditions,  and  low-power  and  shutdown  conditions)  should  be  included  in  the 
task  analysis. 

(5)  The  human  task  requirements  that  result  from  the  changes  in  the  actions  should  be 
assessed  to  determine  whether  they  are  compatible  with  each  individual’s  responsibilities 
(i.e.,  will  not  interfere  with  or  be  disrupted  by  the  cognitive  and  physical  demands  of 
other  tasks  and  responsibilities). 

(6)  Certain  human  tasks  will  need  qualified  instrumentation  in  accordance  with  RG  1.97 
(NRC,  1983).  The  task  analysis  should  identify  the  necessary  safety  grade  of  the  control 
and  display  equipment  used  for  human  tasks.  The  RG  defines  Type  A  variables  as  “those 
variables  to  be  monitored  that  provide  the  primary  information  required  to  permit  the 
control  room  operators  to  take  the  specified  manually  controlled  actions  for  which  no 
automatic  control  is  provided  and  that  are  required  for  safety  systems  to  accomplish  their 
safety  function  for  design  basis  accident  events”  (NRC,  1983,  p.  1.87-4).  Primary 
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Table  3.1  Types  of  Task  Analysis  Output 

Type  of  Information 

Example 

Information  Requirements 

identify  proper  component 
identify  proper  control 

identify  relevant  task  parameters  (units,  precision,  and  accuracy) 
identify  results  of  control  actions 
identify  when  actions  are  completed 

Decision-making  Requirements 

decisions  type  (relative,  absolute,  probabilistic) 
evaluations  to  be  performed 

Response/Performance  Requirements  type  of  action  to  be  taken 

task  frequency,  tolerance  and  accuracy 


task  completion  time  and  temporal  constraints  (task  ordering) 

physical  position  (stand,  sit,  squat,  etc.) 

biomechanics 

-  movements  (lift,  push,  turn,  pull,  crank,  etc.) 

-  forces  required 

Communication  Requirements 

personnel  communication 

Workload 

cognitive 

physical 

overlap  of  task  requirements  (serial  vs.  parallel  task  elements) 

Task  Support  Requirements 

special  and  protective  clothing 
job  aids  or  reference  materials  required 
tools  and  equipment  required 

Workplace  Factors 

ingress  and  egress  paths  to  the  worksite 
workspace  envelope  required  by  action  taken 

typical  and  extreme  environmental  conditions,  such  as  lighting,  temp,  noise 

Situational  and  Performance 
Shaping  Factors 

stress 

reduced  manning 

Hazard  Identification 

identification  of  hazards  involved,  e.g.,  potential  personal  injury 
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information  is  further  defined  in  the  RG  as  information  that  is  essential  for  the  direct 
accomplishment  of  the  specified  safety  functions,  but  does  not  include  those  variables  that 
are  associated  with  contingency  actions  that  may  also  be  identified  in  written  procedures. 
Table  1  of  RG  1.97  provides  detailed  Category  1  criteria  that  Type  A  variables  should 
meet.  In  general,  these  Category  1  criteria  provide  for  environmental  and  seismic 
qualification,  redundancy,  quality  assurance,  continuous  display,  good  human  factors 
design,  and  an  emergency  power  supply.  Therefore,  HAs,  which  are  required  for  safety 
systems  to  accomplish  their  safety  function  for  design  basis  accident  events  and  for  which 
no  automatic  control  is  provided,  will  need  control  and  display  instrumentation  in 
accordance  with  RG  1 .97.  (This  RG  allows  for  consideration  of  alternative  approaches 
that  are  adequately  justified  and  include  consideration  of  the  risk  significance  of  the 
actions  involved.)  Thus,  credit  should  only  be  given  for  these  types  of  HAs  if  they  can  be 
completed  using  control  and  display  instrumentation  that  is  consistent  with  RG  1.97. 

(7)  The  task  analysis  should  identify  reasonable  or  credible,  potential  errors,  including  the 
following  types: 

•  Errors  of  omission  (i.e.,  failure  to  perform  actions) 

•  Foreseeable  errors  of  commission  (i.e.,  performing  actions  that  are  not  required,  as 
when  personnel  incorrectly  assess  conditions;  performing  the  correct  action  on  the 
wrong  control,  including  controls  not  related  to  the  action;  performing  the  wrong 
action  or  actions  on  the  right  control;  performing  actions  in  the  wrong  sequence). 

Errors  of  omission  and  commission  should  be  determined  for  credible  scenarios  in  which 
the  HAs  might  be  performed.  The  scenarios  should  include  multiple-failure  events. 

(8)  The  potential  consequences  of  errors  should  be  identified.  The  licensee  should  address 
how  errors  can  be  prevented,  detected,  and  recovered  from.  The  ability  of  personnel  to 
recover  from  errors  in  the  performance  of  manual  actions  and  the  expected  time  required 
to  make  such  a  recovery  should  be  evaluated. 

(9)  The  required  time  for  task  completion  should  be  determined  from  analyses  such  as  task 
and  time  line  analyses  of  event  scenarios,  safety  analyses,  risk  analysis,  and  thermal- 
hydraulic  analysis,  as  appropriate.  These  analyses  should  include  time  for  recovering  from 
credible  human  errors,  as  described  in  NRC  Information  Notice  97-78  (NRC,  1997).  (The 
required  time  for  task  completion  should  be  compared  to  estimates  of  the  time  actually 
needed  by  personnel  to  complete  the  tasks.  This  is  addressed  in  Section  3.11,  Human 
Factors  Verification  and  Validation). 
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3.6  Stafllng 

Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  the  licensee  has  analyzed  the 
proposed  change  in  HAs  to  determine  the  number  and  qualifications  of  personnel  based  on  task 
requirements  and  applicable  regulatory  requirements.  Adding  additional  manual  actions  or 
shifting  tasks  to  periods  of  high  workload  may  increase  staffing  requirements. 

Scope 

The  staffing  analysis  addresses  personnel  requirements  for  all  conditions  in  which  the  HA  may  be 
performed. 

Criteria 

The  criteria  for  reviewing  the  licensee’s  staffing  analysis  are  identified  below. 

(1)  Staffing  levels  should  be  evaluated  to  determine  their  adequacy  with  respect  to  any 

additional  burden  that  may  be  imposed  by  the  plant  or  HA  modifications  The  staffing 

levels  should  be  adjusted  if  necessary.  The  evaluation  should  be  based  on  an  analysis  of 

•  Current  nominal  (typical  shift  complement  of  personnel)  and  minimal  staffing 
levels  (as  identified  administrative  procedures) 

•  Required  actions  determined  from  the  task  analysis 

•  The  physical  configuration  of  the  work  environment  (e.g.,  control  room  and 
control  consoles  configurations  that  may  affect  the  ability  of  personnel  to  work 
together) 

•  The  availability  of  plant  information  from  individual  workstations  from  individual 
and  group  view  components  of  the  HSI 

•  Required  interaction  between  personnel  for  situation  assessment,  planning,  and 
control  activities 

•  Availability  of  personnel  considering  other  activities  that  may  be  ongoing  and  for 
other  possible  responsibilities  outside  the  control  room  (e.g.,  fire  brigade) 

•  Required  interaction  between  personnel  for  administrative,  communications,  and 
reporting  activities 
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•  Relevant  actions  described  by  10  CFR  50.47  and  NUREG-0654  (NRC,  1 980)  (to 
provide  an  acceptable,  initial  response  to  key  functional  areas  required  by  the 
emergency  plan). 

3.7  Probabilistic  Risk  and  Human  Reliability  Analysis 
Objective 

The  objectives  of  this  review  are  to  provide  adequate  assurance  that  the  licensee  has  (1)  updated 
the  PRA  model  to  reflect  system,  component,  and  HA  changes  that  may  be  necessary  based  on  the 
proposed  modification  or  HAs;  (2)  performed  an  analysis  of  the  potential  effects  of  the  proposed 
changes  upon  plant  safety  amd  reliability,  in  a  manner  consistent  with  current,  accepted  PRA/HRA 
principles  and  practices,  amd  (3)  the  risk  insights  derived  from  the  results  are  addressed  in  the 
selection  of  HAs;  development  of  procedures,  HSI  components,  and  training  in  order  to  limit  risk 
and  the  likelihood  of  personnel  error  and  to  provide  for  error  detection  and  recovery  capability. 

Scope 

This  review  addresses  PRAs  and  HRAs  conducted  by  the  licensee  to  evaluate  changes  in  systems, 
components,  and  human  tasks  that  result  from  the  proposed  changes  in  HAs. 

Criteria 

The  criteria  for  reviewing  the  licensee’s  PRA  and  HRA  activities  are  identified  below. 

(1)  The  PRA  and  HRA  should  be  modified  to  reflect  the  changes  in  systems,  components,  and 
human  tasks.  Human  interactions  with  plant  systems  and  components  should  be  analyzed 
at  least  at  the  level  modeled  in  the  plant’s  current  PRA. 

(2)  The  HRA  should  follow  a  structured,  systematic,  and  auditable  process  to  provide 
adequate  assurance  that  the  reliability  of  the  HA  is  accurately  estimated  so  that  its  effect 
on  plant  safety  using  the  PRA  can  be  assessed. 

(3)  The  PRA/HRA  should  address  any  human  interactions  that  may  be  involved  with  the 
modified  plant  systems  and  components  at  the  level  currently  modeled  in  the  plant  PRA, 
for  example, 

•  Errors  of  omission  and  commission 

•  Miscalibration  and  component  restoration  errors 

•  Recovery  actions 
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(4)  The  analysis  of  HAs  should  include  the  identification  of  performance  shaping  factors 
(PSFs),  that  is,  factors  that  influence  human  reliability  through  their  effects  on 
performance.  PSFs  include  factors  such  as  environmental  conditions,  HSI  design, 
procedures,  training,  and  supervision. 

(5)  Human-system  analyses  and  evaluations  should  be  used  to  provide  an  understanding  of 
task  requirements  including  (a)  demands  placed  on  plant  personnel,  (b)  interfaces  vWth 
plant  equipment,  and  (c)  time  constraints  within  which  critical  tasks  must  be 
accomplished.  The  analysis  of  human  tasks  should  at  a  minimum  include  (a)  descriptions 
and  analyses  of  human  tasks  developed  during  the  task  analysis,  (b)  modified  plant 
procedures,  and  (c)  modified  HSI  design  characteristics. 

(6)  Human  error  quantification  methods  (such  as  Hollnagel,  1998;  NRC,  2000b;  Swain  and 
Guttmann,  1983),  performance  models  (such  as  action  dependency),  human  error  data 
sources  (such  as  the  "Nuclear  Computerized  Library  for  Assessing  Reactor  Reliability" 
(NUCLARR),  Gertman  et  al.,  1990),  and  PSFs  should  be  specifically  identified  and 
selected  on  the  basis  of  their  appropriateness  to  the  types  of  actions  being  analyzed.  When 
data  from  PRAs,  performed  for  other  plants,  are  to  be  used  in  the  HRA,  a  rationale  should 
be  provided  to  justify  its  use  including  any  modifications  of  these  data. 

(7)  Because  of  the  inherent  uncertainty  of  numerical  estimation,  sensitivity  and/or  uncertainty 
analyses  should  be  performed. 

(8)  Risk-important  HAs  associated  with  the  modification  should  be  identified  from  the 
PRA/HRA  and  used  as  input  to  the  design  of  procedures,  HSI  components,  and  training. 
These  actions  should  be  developed  from  the  Level  1  (core  damage)  PRA  and  Level  2 
(release  from  containment)  PRA  including  both  internal  and  external  events.  They  should 
be  developed  using  selected  (more  than  one)  importance  measures  and  HRA  sensitivity 
analyses  to  provide  adequate  assurance  that  an  important  action  is  not  overlooked  because 
of  the  selection  of  the  measure  or  the  use  of  a  particular  assumption  in  the  analysis. 

(9)  Risk-important  HAs  that  are  identified  by  means  of  PRA/HRA  as  posing  definite 
challenges  to  plant  safety  and  reliability  (e.g.,  those  in  Region  1)  should  be  analyzed  by 
function  allocation  analysis,  task  analysis,  HSI  design,  procedure  design,  and  training  to 
minimize  the  likelihood  of  human  error  and  provide  for  error  detection  and  recovery 
capability.  Some  actions  (e.g.,  those  resulting  in  risk  well  into  Region  I)  should  cause  the 
plaimed  design  change  or  modification  to  be  reconsidered.  Other  alternatives  considered 
should  include  automation. 

(10)  The  licensee  should  use  the  information  from  the  modified  PRA/HRA  to  calculate  changes 
in  CDF,  LERF,  and  integrated  risk  (if  a  temporary  change  is  involved).  These  values 
should  be  plotted  on  the  screening  Figures  of  Section  2  to  indicate  the  relative  risk 
significance  of  the  modification  in  question. 
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3.8  Human-System  Interface  Design 
Objective 

The  objective  of  this  review  is  to  evaluate  the  HSI  design,  for  those  changes  in  HAs  that  require 
changes  to  the  HSI,  to  provide  adequate  assurance  that  the  licensee  has  appropriately  translated 
function  and  task  requirements  into  the  detailed  design  of  the  HSI  through  the  systematic 
application  of  HFE  principles  and  criteria. 

Scope 

This  review  addresses  the  design  of  temporary  and  permanent  modifications  to  the  HSI,  including 
new  HSI  components  and  the  modification  of  existing  ones,  for  the  proposed  changes  in  the  HAs. 
The  intended  focus  of  this  review  is  the  designs  that  result  from  the  HSI  design  process.  Where 
changes  in  HAs  result  in  modifications  to  large  portions  of  the  HSI  or  in  the  use  of  HSI 
technologies  that  do  not  have  proven  operating  histories,  the  review  may  also  examine  the  HSI 
design  process  using  the  review  criteria  of  Sections  8.4.2  and  8.4.3  of  NUREG-071 1,  Rev.  1. 
The  review  addresses  aspects  of  the  HSI  and  the  work  environment  that  affect  the  ability  of  the 
personnel  to  perform -the  HAs.  Depending  upon  the  scope  of  the  HAs  and  the  HSI  components 
used  to  perform  those  actions,  the  review  may  include  the  following: 

•  Control  and  display  device  design 

•  Information  and  control  interface  design  details,  such  as  graphic  display  formats,  symbols, 
dialog  design  and  input  methods 

•  Workspace  layout  (e.g.,  main  control  room  and  remote  shutdown  facility  layouts) 

•  Control  panel,  console,  and  workstation  layouts 

•  Overall  work  environment  (e.g.,  temperature,  humidity,  ventilation,  illumination,  and 
noise). 

Criteria 

The  criteria  for  reviewing  the  licensee’s  HSI  design  are  identified  below. 

(1)  The  following  sources  of  information  should  provide  input  to  the  HSI  design  process,  as 
applicable; 


31 


3 


REGION  I  REVIEW  GUIDANCE 


•  Regulatory  requirements  -  Applicable  regulatory  requirements  should  be  identified 
as  inputs  to  the  HSI  design  process. 

•  Analysis  of  personnel  task  requirements  -  The  analyses  performed  in  earlier  stages 
of  the  design  process  should  be  used  to  identify  requirements  for  the  HSI.  These 
analyses  include: 

Functional  requirement  analysis  and  allocation 
Task  analysis 
Staffing  analyses 

•  System  requirements  -  Constraints  imposed  by  the  overall  instrumentation  and 
control  (I&C)  system  should  be  considered  throughout  the  HSI  design  process, 
including  functional  requirement  specification,  concept  design,  detailed  design, 
and  design  integration. 

•  Predecessor  designs  -  Lessons  learned  from  the  OER  regarding  other  complex 
human-machine  systems  that  have  similar  human  tasks  or  similar  HSI  technologies 
should  be  used  as  an  input  to  the  HSI  design. 

•  HFE  guidelines  -  HFE  guidelines  should  be  used  to  provide  information  regarding 
characteristics  that  the  HSI  design  should  possess. 

(2)  Functional  requirements  for  modifications  to  the  HSI  should  be  developed  to  address: 

•  Personnel  functions  and  tasks  that  support  their  role  in  the  plant  as  derived  from 
function,  task,  and  staffing  analyses 

•  Personnel  requirements  for  a  safe,  comfortable  working  environment. 

(3)  The  design  should  seek  to  minimize  the  probability  that  errors  will  occur  and  maximize 

the  probability  that  errors  will  be  detected  and  personnel  will  be  able  to  recovered  from 

them. 

(4)  When  developing  HSI  components  for  actions  performed  either  in  the  control  room  or 

locally  in  the  plant,  the  following  factors  should  be  considered: 

•  Communication,  coordination,  and  workload 

•  Feedback 
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•  Local  environment 

•  Inspection,  test,  and  maintenance. 

(5)  The  layout  of  HSI  components  within  consoles,  panels,  and  workstations  should  be  based 
upon  (1)  analyses  of  human  roles  (job  analysis)  and  (2)  systematic  strategies  for 
organization  such  as  arrangement  by  importance,  frequency  of  use,  and  sequence  of  use. 

(6)  Personnel  and  task  performance  should  be  supported  during  minimal,  nominal,  and 
high-level  staffing. 

(7)  HSI  characteristics  should  support  human  performance  under  the  full  range  of 
environmental  conditions,  e.g.,  normal  as  well  as  credible  extreme  conditions.  For  the 
main  control  room  requirements  should  address  conditions  such  as  loss  of  lighting,  loss  of 
ventilation,  and  main  control  room  evacuation.  For  the  remote  shutdown  facility  and  local 
control  stations,  requirements  should  address  constraints  imposed  by  the  ambient 
environment  (e.g.,  noise,  temperature,  contamination)  and  by  protective  clothing  (if 
necessary). 

(8)  The  HSI  should  be  designed  to  support  inspection,  maintenance,  test,  and  repair  of  both 
plant  equipment  and  the  HSI.  The  HSI  should  be  designed  so  that  inspection, 
maintenance,  test,  and  repair  of  the  HSI  does  not  interfere  with  other  plant  control 
activities  (e.g.,  maintenance  tags  should  not  block  the  view  of  plant  indications). 

(9)  Changes  to  the  HSI  design  should  be  documented  to  include: 

•  The  detailed  HSI  description  including  its  form,  function  and  performance 
characteristics 

•  The  basis  for  the  HSI  design  characteristics  with  respect  to  operating  experience 
and  literature  analyses,  tradeoff  studies,  engineering  evaluations  and  experiments, 
and  benchmark  evaluations 

•  Records  of  the  basis  of  the  design  changes. 

3.9  Procedure  Design 

Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  applicable  plant  procedures 
have  been  appropriately  modified,  where  needed,  to  provide  adequate  guidance  for  the  successful 
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completion  of  the  HAs,  and  that  the  procedures  adequately  reflect  changes  in  plant  equipment  and 
HAs.  In  the  procedure  development  process,  HFE  principles  and  criteria  should  be  applied  along 
with  all  other  design  requirements  to  develop  procedure  modifications  that  are  technically 
accurate,  comprehensive,  explicit,  easy  to  use,  and  validated. 

Scope 

This  review  addresses  all  plant  procedures  that  provide  guidance  to  personnel  for  the  affected 
actions,  including  the  following  types 

•  Emergency  operating  procedures  (EOPs) 

•  Plant  and  system  operations  (including  startup,  power,  and  shutdown  operations) 

•  Abnormal  and  emergency  operations 

•  Alarm  response 

The  scope  includes  both  temporary  and  permanent  modifications  to  these  procedures. 

Criteria 

The  criteria  for  reviewing  the  licensee’s  procedure  modifications  are  identified  below. 

(1)  Plant  procedures  should  be  modified  to  provide  new  guidance  for  the  proposed  changes  in 
the  HAs.  Exceptions  may  be  made  where  the  adequacy  of  the  existing  procedures  can  be 
justified.  Such  a  justification  should  indicate  how  the  existing  procedures  provide 
necessary  and  sufficient  guidance  for  the  changed  HAs  and  do  not  contain  information  that 
is  inaccurate  or  no  longer  relevant. 

(2)  The  basis  for  procedure  development  should  include 

•  Plant  design  bases 

•  System-based  technical  requirements  and  specifications 

•  Task  analyses  results  for  revised  HAs 

•  Risk-important  HAs  identified  in  the  HRA/PRA 
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•  Initiating  events  to  be  considered  in  the  EOPs,  including  those  events  in  the  design 
bases 

•  EOPs  and  generic  technical  guidelines  (GTGs). 

(3)  Procedures  should  identify  how  the  operating  crew  should  independently  verify  that  the 
HAs  have  been  successfully  performed. 

(4)  All  procedures  should  be  verified  and  validated  to  provide  adequate  assurance  that  they 
are  correct  and  can  be  carried  out.  Their  final  validation  should  be  performed  as  part  of 
the  validation  activities  described  in  Section  3.11. 

(5)  If  the  change  in  the  HAs  also  involves  the  introduction  of  a  computer-based  procedure 
system,  then  a  review  should  be  conducted  to  determine  the  impact  of  providing 
computer-based  procedures  (CBPs)  and  to  specify  where  such  an  approach  would  improve 
procedure  utilization  and  reduce  operating  crew  errors  related  to  procedure  use.  The 
justifiable  use  of  CBPs  over  paper  procedures  should  be  documented.  An  analysis  of 
alternatives  in  the  event  of  loss  of  CBPs  should  be  performed  and  documented. 

(6)  Any  changes  in  the  HSI  should  be  reflected  in  the  modifications  of  the  procedures. 

(7)  Procedural  modifications  should  be  integrated  across  the  full  set  of  procedures;  alterations 
in  particular  parts  of  the  procedures  should  not  conflict  nor  be  inconsistent  with  other 
parts.  For  example,  an  HSI  component  that  is  modified  for  a  HA  may  also  affect  other 
actions  that  have  not  been  modified.  Therefore,  procedure  changes  should  not  be  limited 
to  only  the  changed  HAs. 

3.10  Training  Program  Design 

Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  the  licensee’s  training  program 
results  in  adequate  training  for  the  HAs.  The  review  should  provide  adequate  assurance  that 
appropriate  training  has  been  developed  and  conducted  for  the  HAs,  including  any  changes  in 
qualifications,  as  described  in  NRC  Information  Notice  97-78  (NRC,  1997). 

Scope 

This  review  addresses  the  licensee’s  training  programs  for  all  licensed  and  non-licensed  personnel 
who  perform  the  changed  HAs.  The  scope  includes  both  temporary  and  permanent  modifications 
to  training  programs. 
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Criteria 

The  criteria  for  reviewing  the  licensee’s  training  program  are  identified  below. 

(1)  The  licensee’s  training  program  should  be  modified  to  address  the  knowledge  and  skill 
requirements  for  all  changes  in  HAs  for  the  licensed  and  non-licensed  personnel.  The 
scope  of  the  training  should  include: 

•  Pertinent  plant  functions  and  systems 

•  The  full  range  of  relevant  HSI  components 

•  The  fiill  range  of  relevant  procedures 

•  The  range  of  plant  conditions  in  which  in  the  HAs  might  be  performed 

(2)  Learning  objectives  should  be  derived  from  an  analysis  that  describes  desired  performance 
for  the  HAs  after  training  has  been  completed.  This  analysis  should  include  but  not  be 
limited  to  training  issues  identified  in  the  following  HFE  activities: 

•  Operating  Experience  Review  -  previous  training  deficiencies  and  operational 
problems  that  may  be  corrected  through  additional  and  enhanced  training,  and 
positive  characteristics  of  previous  training  programs 

•  Function  Analysis  and  Allocation  -  functions  identified  as  new  or  modified,  if 
applicable 

•  Task  Analysis  -  tasks  identified  during  task  analysis  as  posing  unusual  demands, 
new  or  different  tasks,  and  tasks  requiring  high  coordination,  high  workload,  or 
special  skills 

•  Human  Reliability  Assessment  -  requirements  for  coordinating  individual  roles  to 
reduce  the  likelihood  and/or  consequences  of  human  error  associated  with  HAs 

•  HSI  Design  -  design  features  whose  purpose  or  operation  may  be  different  from  the 
past  experience  or  expectations  of  personnel  or  otherwise  difficult  to  use 

•  Plant  Procedures  -  tasks  that  have  been  identified  during  procedure  development  as 
being  problematic  (e.g.,  procedure  steps  that  have  undergone  extensive  revision  as 
a  result  of  plant  safety  concerns). 
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3.11  Human  Factors  Verification  and  Validation 
Objective 

Verification  and  validation  (V&V)  consists  of  five  activities  with  the  follovving  objectives: 

(1)  HSI  task  support  verification  -  Provide  adequate  assurance  that  the  HFE/HSI  design 
provides  all  necessary  alarms,  displays,  and  controls  to  support  plant  personnel  tasks. 

(2)  HFE  design  verification  -  Provide  adequate  assurance  that  the  HFE/HSI  design  conforms 
to  HFE  principles,  guidelines,  and  standards. 

(3)  Integrated  system  validation  -  Provide  adequate  assurance  that  the  HFE/HSI  design  can  be 
effectively  operated  by  personnel  within  all  performance  requirements  applicable  to  te 
HA,  including  the  following 

•  All  pertinent  staffing  considerations  are  acceptable  for  nominal  and  minimal  shift 
levels,  such  as  shift  staffing,  assignment  of  tasks  to  crew  members,  and  crew 
coordination  within  the  control  room  and  between  the  control  room  and  local 
control  stations  and  support  centers. 

•  The  HAs  can  be  accomplished  within  time  and  performance  criteria 

•  The  integrated  system  performance  is  consistent  with  all  ftmctional  requirements, 
including  tolerance  of  failures  of  individual  HSI  features 

(4)  Final  plant  HFE/HSI  design  verification  -  Provide  adequate  assurance  that  the  final 
product  as  built  conforms  to  the  verified  and  validated  design  that  resulted  from  the  HFE 
design  process. 


Scope 


(1)  The  general  scope  of  V&V  includes  the  following  factors  as  applicable  to  the  proposed 
changes  to  the  HAs: 

•  HSI  hardware  and  software 

•  Procedures 

•  Workstation  and  console  configurations 

•  Design  of  the  overall  work  environment 
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•  Trained  personnel 

(2)  The  typical  order  of  V&V  activities  is: 

•  HSI  task  support  verification 

•  HFE  design  verification 

•  Integrated  system  validation 

•  Human  factors  issue  resolution  verification 

•  Final  plant  HFE/HSI  design  verification 

(3)  All  V«feV  activities  are  applicable  regardless  of  whether  the  change  in  the  HA  involves 
changes  in  the  HSI. 

Criteria 

HSI  Task  Support  Verification 

(1)  All  aspects  of  the  HSI  (e.g.,  controls,  displays,  procedures,  and  data  processing)  that  are 
required  to  accomplish  the  HAs  should  be  verified  as  available  through  the  HSI.  For  HAs 
that  require  qualified  instrumentation  in  accordance  with  RG  1 .97,  it  should  be  verified 
that  the  HSI  provides  such  qualified  instrumentation. 

HFE  Design  Verification 

(1)  All  aspects  of  the  HSI  (e.g.,  controls,  displays,  procedures,  and  data  processing)  used  for 
the  HAs  should  be  verified  as  consistent  with  accepted  HFE  guidelines,  standards,  and 
principles. 

(2)  Deviations  from  accepted  HFE  guidelines,  standards,  and  principles  should  be  acceptably 
justified  on  the  basis  of  a  documented  rationale  such  as  trade  study  results,  literature-based 
evaluations,  demonstrated  operational  experience,  or  tests  and  experiments. 
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Integrated  System  Validation 

Validation  Testbeds 

(1)  For  HAs  performed  in  the  main  control  room,  the  plant  training  simulator  should  be  used 
as  the  testbed  when  conducting  the  validation  tests. 

(2)  For  HAs  performed  at  locations  outside  of  the  main  control  room,  the  use  of  a  simulation 
or  mockup  should  be  considered  to  verify  that  human  performance  requirements  can  be 
achieved.  If  a  simulation  or  mockup  is  not  available,  then  considerations  should  be  given 
to  conducting  drills  in  the  plant.  The  conduct  of  these  drills  should  not  interfere  with  plant 
operations  (e.g.,  drills  may  be  conducted  when  the  plant  is  shutdown  or  the  affected 
systems  are  removed  from  service). 

(3)  When  simulations  or  mockups  are  used  to  evaluate  HAs  performed  outside  of  the  main 
control  room,  the  important  characteristics  of  the  task-related  HSI  components  and  task 
environment  (e.g.,  lighting,  noise,  heating  and  ventilation,  and  protective  clothing  and 
equipment)  should  be  included  in  the  testbed. 

Plant  Personnel 

(1 )  Participants  in  the  validation  tests  should  be  the  plant  personnel  who  will  perform  the 
changed  actions.  Actions  that  will  be  performed  by  licensed  personnel  should  be  veilidated 
using  licensed  personnel  rather  than  training  or  engineering  personnel.  Similarly,  actions 
allocated  to  non-licensed  personnel  should  be  validated  using  non-licensed  personnel. 

(2)  To  properly  account  for  human  variability,  each  of  the  normal  crews  should  participate  in 
the  validation  tests.  This  will  help  provide  adequate  assurance  that  variation  along  most  of 
the  significant  dimensions  that  influence  human  performance  are  included  in  the  validation 
tests.  Participation  is  not  necessary  for  personnel  who  do  not  normally  operate  or  maintain 
the  plant  (e.g.,  administrative  personnel  who  hold  operating  licenses).  If  all  crews  are  not 
included  in  the  validation  tests  then  a  justification  should  be  provided,  indicating  how  the 
sample  of  personnel  includes  all  of  the  relevant  capabilities  and  characteristics  to  the 
overall  population  and  is  not  biased  by  specific  characteristics  (e.g.,  the  sample  included 
the  best  operators). 

(3)  In  selection  of  personnel,  consideration  should  be  given  to  the  assembly  of  nominal  and 
minimum  crew  configurations,  including  shift  supervisors,  reactor  operators,  shift 
technical  advisors,  etc.,  that  will  participate  in  the  validation  tests.  The  composition  of 
operations  personnel  need  only  include  categories  of  personnel  that  are  relevant  to  the 
HAs. 
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Operational  Conditions 

(1)  Integrated  system  validation  should  include  dynamic  evaluations  for  a  range  of  operational 
conditions  for  which  the  HA  is  required.  Conditions  that  are  expected  to  contribute  to 
system  performance  variation  should  be  specifically  identified. 

(2)  The  scenarios  should  reflect  a  range  of  situational  factors  that  are  known  to  challenge 
human  performance,  such  as: 

•  Failure  events,  such  as  I&C  instrumentation  and  HSI  failures 

•  Adverse  or  inhospitable  environmental  conditions  such  as  poor  lighting,  extreme 
temperatures,  high  noise,  and  simulated  radiological  contamination. 

(3)  The  operational  conditions  should  be  developed  into  detailed  scenarios.  The  following 
information  should  be  defined  to  provide  adequate  assurance  that  important  performance 
dimensions  are  addressed  and  to  allow  scenarios  to  be  accurately  presented  for  repeated 
trials: 

•  Description  of  the  scenario  mission  and  any  pertinent  "prior  history"  necessary  for 
personnel  to  understand  the  state  of  the  plant  upon  scenario  start-up 

•  Specific  initial  conditions  (precise  definition  provided  for  plant  functions, 
processes,  systems,  component  conditions  and  performeince  parameters) 

•  Events  (e.g.,  failures)  to  occur  and  their  initiating  conditions,  e.g.,  time,  parameter 
values,  or  events 

•  Precise  definition  of  workplace  factors,  such  as  environmental  conditions 

•  Data  to  be  collected  and  the  precise  specification  of  what,  when  and  how  data  are 
to  be  obtained  and  stored  (including  videotaping  requirements,  questionnaire  and 
rating  scale  administrations) 

•  Specific  criteria  for  terminating  the  scenario. 

(4)  Scenarios  should  have  appropriate  task  fidelity  so  that  realistic  task  performance  will  be 
observed  in  the  validation  tests  and  so  that  results  can  be  generalized  to  actual  operation  in 
the  real  plant. 

(5)  When  evaluating  performance  associated  with  the  use  of  HSI  components  located  remote 
from  the  main  control  room,  the  effects  on  crew  performance  due  to  potentially  harsh 
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environments  (i.e.,  high  radiation)  should  be  realistically  simulated  (i.e.,  additional  time  to 
don  protective  clothing  and  access  radiologically  controlled  areas). 

Plant  Performance  Measurement 

(1)  The  variables  used  in  the  performance  measures  should  include  performance  of  the  plant 
and  personnel,  as  described  below. 

(2)  Measures  that  assess  personnel  task  performance  should  be  used,  including  the  following: 

•  For  each  specific  scenario,  the  tasks  that  personnel  are  required  to  perform  should 
be  identified  and  assessed.  Such  tasks  can  include  necessary  primary  (e.g.,  start  a 
pump)  as  well  as  secondary  (e.g.,  access  the  pump  status  display)  tasks.  This 
analysis  should  be  used  for  the  identification  of  errors  of  omission  by  identifying 
tasks  which  should  be  performed.  The  proper  completion  of  required  tasks  should 
be  verified. 

•  The  tasks  that  are  actually  performed  by  persoimel  during  simulated  scenarios 
should  be  identified  and  quantified. 

•  The  variable(s)  used  to  quantify  tasks  should  be  chosen  to  reflect  the  important 
aspects  of  the  task  with  respect  to  system  performance,  such  as: 

Task  success  or  failure 

Task  completion  time 

Errors  (omission  and  commission) 

Subjective  reports  of  participants 

(3)  Performance  criteria  for  the  measures  used  in  the  evaluations  should  be  established.  The 
approach  used  for  establishing  the  criteria  should  be  based  upon  the  type  of  comparisons 
made  between  the  measures  and  criteria,  e.g.,  requirement-referenced,  benchmark 
referenced,  normative  referenced,  and  expert-judgement  referenced.  (See  "performance 
criteria"  in  the  glossary  for  a  definition  of  these  terms  and  O'Hara,  et  al.,  1997,  for  a  more 
in-depth  discussion). 

(4)  Anthropometric  and  physiological  factors  include  such  concerns  as  visibility  of 
indications,  accessibility  of  control  devices,  and  ease  of  control  device  manipulation. 
These  factors  should  be  assessed  where  appropriate  so  they  can  be  addressed  should 
difficulties  arise. 
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Validation  Test  Design 

(1)  Scenario  Sequencing  -  When  crews  perform  more  that  one  scenario,  the  order  in  which 
scenarios  are  presented  to  crews  should  be  balanced  to  provide  adequate  assurance  that  the 
same  types  of  scenarios  are  not  always  being  presented  in  the  same  position,  e.g.,  the  easy 
scenarios  are  not  always  presented  first. 

(2)  Validation  Test  Procedures  -  Detailed,  clear,  and  objective  validation  test  procedures 
should  be  available  to  govern  the  conduct  of  the  validation  tests.  They  should  be 
developed  with  the  goal  of  minimizing  opportunities  for  tester  expectancy  bias  and 
participant  response  bias.  These  procedures  should  include: 

•  Information  pertaining  to  the  experimental  design,  i.e.,  an  identification  of  which 
crews  receive  which  scenarios  and  the  order  that  the  scenarios  should  be  presented. 

•  Detailed  and  standardized  instructions  for  briefing  the  participants  to  minimize  this 
source  of  bias. 

•  Specific  criteria  for  the  conduct  of  specific  scenarios,  such  as  when  to  start  and 
stop  scentirios,  when  events  such  as  faults  are  introduced,  and  other  information 
discussed  in  Operational  Conditions,  Criterion  3  above. 

•  Scripted  responses  for  test  personnel  who  will  be  acting  as  plant  persomiel  during 
validation  test  scenarios. 

•  Guidance  on  when  and  how  to  interact  with  participants  when  simulator  or  testing 
difficulties  occur. 

•  Instructions  regarding  when  and  how  to  collect  and  store  data  via  the  various 
collection  techniques  (simulation  computers,  special  purpose  data  collection 
devices,  video  recorders,  observation  checklists,  and  subjective  rating  scales  and 
questionnaires). 

•  Procedures  for  documenting  validation  data,  i.e.,  identifying  and  maintaining 
validation  test  record  files. 

(3)  Validation  Test  Personnel  Qualifications  -  Validation  test  administration  personnel  should 
be  knowledgeable  of  the  use  and  importance  of  validation  test  procedures,  the  types  of 
errors  that  may  be  introduced  into  validation  test  data  through  the  failure  to  follow 
validation  test  procedures  or  interact  properly  with  participants,  and  the  importance  of 
accurately  documenting  the  validation  tests. 
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(4)  Participant  Training  -  Participants  should  be  trained  in  the  HA,  including  the  use  of  any 
new  or  revised  operating  procedures  and  HSI,  and  interactions  with  other  personnel. 
Participants  should  be  trained  to  near  asymptotic  performance  (i.e.,  stable,  not 
significantly  changing  from  trial  to  trial)  and  tested  prior  to  conducting  actual  validation 
test  trials. 

(5)  Pilot  Testing  -  A  pilot  study  should  be  conducted  prior  to  conducting  the  integrated 
validation  tests  to  provide  an  opportunity  to  assess  the  adequacy  of  the  validation  test 
design,  performance  measures,  and  data  collection  methods. 

Data  Analysis  and  Interpretation 

(1)  Validation  test  data,  time  and  errors,  should  be  analyzed  through  a  combination  of 
quantitative  and  qualitative  methods. 

(2)  The  relationship  between  observed  performance  data  and  the  established  performance 
criteria  should  be  clearly  established  and  justified  based  upon  the  analyses  performed. 

Time  data  should  be  analyzed  by  the  licensee  to  determine  the  confidence  level  that  the 
HA  can  be  performed  within  the  time  criterion.  Attachment  C  provides  an  approach  that 
may  be  used  for  making  this  analysis. 

(3)  The  statistical  and  logical  basis  for  the  determination  that  performance  of  the  integrated 
system  is  and  will  be  acceptable  should  be  clearly  documented. 

Final  Design  Verification 

(1)  Following  design  process  V&V  activities,  a  design  description  should  be  developed  that 
describes  the  detailed  design  and  its  performance  criteria. 

(2)  Aspects  of  the  design  that  were  not  addressed  in  design  process  V&V  should  be  evaluated 
using  an  appropriate  V&V  method.  Aspects  of  the  design  addressed  by  this  criteria  may 
include  features  that  cannot  be  evaluated  in  a  simulator,  such  as  control  room  (CR) 
lighting  and  noise. 

(3)  The  in-plant  HFE  (e.g.,  the  HSI,  procedures,  and  training  implemented  in  the  plant)  should 
conform  to  the  design  description  that  resulted  from  the  HFE  design  process  and  V&V 
activities. 
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3.12  Human  Performance  Monitoring  Strategy 
Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  the  licensee  has  prepared  a 
human  performance  monitoring  strategy  for  ensuring  that  no  adverse  safety  degradation  occurs 
because  of  the  changes  that  are  made  and  to  provide  adequate  assurance  that  the  conclusions  that 
have  been  drawn  from  the  evaluation  remain  valid  over  time.  A  human  performance  monitoring 
strategy  will  help  to  ensure  that  the  confidence  developed  by  the  completion  of  the  integrated 
system  validation  is  maintained  over  time.  There  is  no  intent  to  periodically  repeat  the  full 
integrated  system  validation,  however,  there  should  be  sufficient  evidence  to  provide  reasonable 
confidence  that  operators  have  maintained  the  skills  necessary  to  accomplish  the  assumed  actions. 

The  results  of  the  monitoring  need  not  be  reported  to  the  NRC,  but  should  be  retained  onsite  for 
inspection. 

Scope 

The  scope  of  the  performzince  monitoring  strategy  should  provide  adequate  assurance  that  the: 

•  HFE/HSI  design  czin  be  effectively  operated  by  personnel,  including  within  the  control 
room  and  between  the  control  room  and  local  control  stations  and  support  centers. 

•  HAs  can  be  accomplished  within  time  and  performance  criteria. 

•  Integrated  system  performzince  is  maintained  within  the  performance  established  by  the 
integrated  system  validation. 

Criteria 

(1)  A  human  performzince  monitoring  strategy  should  be  developed  and  documented  by  the 

licensee.  The  strategy  should  be  capable  of  trending  human  performance  after  the  changes 
have  been  implemented  to  demonstrate  that  performance  is  consistent  with  that  assumed  in 
the  various  analyses  that  were  conducted  to  justify  the  change.  Licensees  may  integrate, 
or  coordinate,  their  performance  monitoring  for  risk-informed  changes  with  existing 
programs  for  monitoring  operator  performance,  such  as  the  licensed  operator  training 
program.  If  a  plzint  change  requires  monitoring  of  actions  that  are  not  included  in  existing 
training  programs,  it  may  be  advantageous  for  a  licensee  to  adjust  the  existing  training 
program  rather  thzui  to  develop  additional  monitoring  programs  for  risk-informed 
purposes. 
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(2)  The  program  should  be  structured  such  that  (1)  HAs  are  monitored  commensurate  with 
their  safety  importance,  (2)  feedback  of  information  and  corrective  actions  are 
accomplished  in  a  timely  manner,  and  (3)  degradation  in  performance  can  be  detected  and 
corrected  before  plant  safety  is  compromised  (e.g.,  by  use  of  the  plant  simulator  during 
periodic  training  exercises). 

(3)  Plant  or  operator  performance  under  actual  design  conditions  may  not  be  readily 
measurable.  When  actual  conditions  cannot  be  simulated,  monitored,  or  measured, 
whatever  information  most  closely  approximates  performance  data  in  actual  conditions 
should  be  used. 

(4)  As  part  of  the  monitoring  program,  it  is  important  that  provisions  for  specific  cause 
determination,  trending  of  performance  degradation  and  failures,  and  corrective  actions  be 
included.  The  cause  determination  should  identify  the  cause  of  the  failure  or  degraded 
performance  to  the  extent  that  corrective  action  can  be  identified  that  would  preclude  the 
problem  or  provide  adequate  assurance  that  it  is  anticipated  prior  to  becoming  a  safety 
concern.  The  program  should  address  failure  significance,  the  circumstances  surrounding 
the  failure  or  degraded  performance,  the  characteristics  of  the  failure,  and  whether  the 
failure  is  isolated  or  has  generic  or  common  cause  implications.  The  monitoring  program 
should  identify  and  establish  any  corrective  actions  necessary  to  preclude  the  recurrence  of 
unacceptable  failures  or  degraded  performance. 
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The  guidance  presented  in  this  section  was  derived  mainly  form  RG  1.174,  NUREG-071 1,  and 
NUREG-0700,  Rev  1 .  These  documents  can  be  consulted  for  additional  information. 

4.1  General  Deterministic  Review  Criteria 

Objective 

The  objective  of  this  section  is  to  provide  adequate  assurance  that  deterministic  aspects  of  design, 
as  discussed  in  RG  1.174,  have  been  appropriately  considered  by  the  licensee.  Deterministic 
aspects  include:  ensuring  the  change  meets  current  regulations;  and  does  not  compromise 
defense-in-depth. 

Scope 

The  deterministic  review  criteria  are  applicable  to  all  modifications  associated  with  Region  II 
HAS. 

Criteria 

(1)  The  licensee  should  provide  adequate  assurance  that  the  change  meets  current  regulations, 
except  where  specific  exemptions  are  requested  under  10  CFR  50.12  or  10  CFR  2.802. 
Examples  of  regulations  that  may  be  affected  by  a  change,  but  that  may  be  identified  as 
risk  significant  when  using  a  standard  PRA  to  screen  for  risk  include  the  following:  1 0 
CFR  20,  10  CFR  50  Appendix  A,  Criterion  19,  andlO  CFR  50  Appendices  C  through  R. 

(2)  The  licensee  should  provide  adequate  assurance  that  the  change  does  not  compromise 
defense-in-depth.  Defense-in-depth  is  one  of  the  fundamental  principles  upon  which  the 
plant  was  designed  and  built.  Defense-in-depth  uses  multiple  means  to  accomplish  safety 
functions  and  to  prevent  the  release  of  radioactive  materials.  It  is  important  in  accounting 
for  uncertainties  in  equipment  and  human  performance,  and  for  ensuring  some  protection 
remains  even  in  the  face  of  significant  breakdowns  in  particular  areas.  Defense-in-depth 
may  be  changed  but  should  overall  be  maintained.  Important  aspects  of  defense-in-depth 
include: 

•  A  reasonable  balance  is  preserved  among  prevention  of  core  damage,  prevention  of 
containment  failure,  and  consequence  mitigation. 

•  There  is  no  over-reliance  on  programmatic  activities  to  compensate  for  weaknesses 
in  plant  design. 
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•  System  redundancy,  independence,  and  diversity  are  preserved  commensurate  with 
the  expected  frequency,  consequences  of  challenges  to  the  system,  and 
uncertainties  (e.g.,  no  risk  outliers). 

•  Defenses  against  potential  common  cause  failures  are  preserved,  and  the  potential 
for  the  introduction  of  new  common  cause  failure  mechanisms  is  assessed. 

•  Independence  of  barriers  is  not  degraded. 

•  Defenses  against  human  errors  are  preserved. 

•  The  intent  of  the  General  Design  Criteria  in  Appendix  A  to  1 0  CFR  Part  50  is 
maintained. 

4.2  Analysis 

Objective 

The  objective  of  the  review  is  to  provide  adequate  assurance  that  the  licensee  has  analyzed  the 

changes  to  HA  and  identified  HFE  inputs  for  any  modifications  to  the  HSI,  procedures,  and 

training  that  may  be  necessary. 

Scope 

The  review  criteria  are  applicable  to  all  modifications  associated  with  Region  II  HAs. 

Criteria 

(1)  Operating  Experience  Review  -  Operating  experience  should  be  identified  that  is  related  to 

the  plant  system(s)  eind  HAs  that  need  to  be  addressed  by  the  plant  modifications. 

Appropriate  input  to  the  design  should  be  made  based  on  the  results  of  the  operating 

experience  review. 

(2)  Functional  and  Task  Analysis 

•  The  licensee  should  identify  how  the  personnel  will  know  when  the  HA  is 
necessary,  that  is  performed  correctly,  and  when  it  can  be  terminated. 

•  Task  analyses  should  provide  detailed  descriptions  of  what  the  personnel  must  do. 
The  licensee  should  identify  how  human  tasks  or  performance  requirements  are 
being  changed.  All  types  of  information  from  Table  3.1  that  are  relevant  to  the  HA 
should  be  addressed. 
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•  The  task  analysis  should  identify  reasonable  or  credible,  potential  errors  and  their 
consequences,  including  the  following  types:  Errors  of  omission  (i.e.,  failure  to 
perform  actions  within  the  required  time),  and  foreseeable  errors  of  commission 
(i.e.,  performing  actions  that  are  not  required,  as  when  personnel  incorrectly  assess 
conditions;  performing  the  correct  action  on  the  wrong  control,  including  controls 
not  related  to  the  action;  performing  the  wrong  action  or  actions  on  the  right 
control;  performing  actions  in  the  wrong  sequence).  The  licensee  should  address 
how  errors  can  be  prevented,  detected,  and  recovered  from. 

(3)  Staffing  -  The  effects  of  the  changes  in  HAs  upon  the  number  and  qualifications  of  current 
staffing  levels  of  operations  personnel  for  normal  and  minimal  staffing  conditions. 

4.3  Design  of  HSIs,  Procedures,  and  Training 

Objective 

The  objective  of  the  review  is  to  provide  adequate  assurance  that  the  licensee  has  supported  the 

HA  by  appropriate  modifications  to  the  HSI,  procedures,  and  training. 

Scope 

The  review  criteria  are  applicable  to  all  modifications  associated  with  Region  II  HAs. 

Criteria 

(1)  HSIs  -  Temporary  and  permanent  modifications  to  the  HSI  should  be  identified  and 
described.  The  modifications  should  be  based  on  task  requirements,  HFE  guidelines,  and 
resolution  of  operating  experience  issues. 

(2)  Procedures  -  Temporary  and  permanent  modifications  to  plant  procedures  should  be 
identified  and  described.  The  modifications  should  be  based  on  task  requirements  anu 
resolution  of  operating  experience  issues.  Justification  should  be  provided  when  the  plant 
procedures  are  not  modified  for  changes  in  operator  tasks. 

(3)  Training  -  Temporary  and  permanent  modifications  to  the  operator  training  program 
should  be  identified  and  described.  The  modifications  should  be  based  on  task 
requirements  and  resolution  of  operating  experience  issues.  Justification  should  be 
provided  when  the  training  program  is  not  modified  for  changes  in  operator  tasks. 
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4.4  Human  Action  Verification 
Objective 

The  objective  of  this  review  is  to  provide  adequate  assurance  that  the  licensee  has  demonstrated 
that  the  HA  can  be  successfully  accomplished  with  the  modified  HSI,  procedures,  and  training. 

Scope 

The  review  criteria  are  applicable  to  all  modifications  associated  with  Region  II  HAs. 

Criteria 

(1)  An  evaluations  should  be  conducted  at  the  actual  HSI  to  determine  that  all  required  HSI 
components,  as  identified  by  the  task  analysis,  are  available  and  accessible. 

(2)  A  walk-through  of  the  HA  under  realistic  conditions  should  be  performed  to  determine 
that: 

•  The  procedures  are  complete,  technically  accurate,  and  usable 

•  The  training  program  appropriately  addressed  the  changes  in  plant  systems  and 
HAs 

•  The  HAs  can  be  completed  within  the  time  criterion  for  each  scenario  that  is 
applicable  to  the  HAs. 

The  scenario  used  should  include  any  complicating  factors  that  are  expected  to  impact  the 
crews  ability  to  perform  the  HA. 

(3)  The  walk-throughs  should  include  at  least  one  crew  of  actual  operators. 
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Once  the  various  portions  of  the  NRC  review  of  a  proposed  change  in  HAs  are  completed,  a  final 
decision  must  be  made.  At  this  point  a  significant  amount  of  information  has  been  gathered, 
reviewed,  and  evaluated  that  can  be  used  to  assist  in  the  final  decision.  This  information  includes: 


•  the  various  risk  values  related  to  the  change  or  modification,  including  their  location  on 
the  acceptance  guideline  figures, 

•  the  time  associated  with  the  change, 

•  the  results  of  the  Region  I  or  Region  II  review,  which  includes  both  human  factors 
information  relating  to  the  ability  of  operators  to  reliably  perform  the  actions  in  question, 
as  well  as  deterministic  review  aspects  of  the  proposed  change, 

•  answers  to  RAIs  that  NRC  has  developed  providing  additional  information  or 
commitments, 

•  other  factors  related  to  the  plant  in  question  that  may  bear  on  the  decision. 

These  various  factors  need  to  be  considered  in  an  integrated,  risk-informed  fashion,  that  considers 
risk,  but  does  not  wholly  base  the  final  decision  on  risk.  RG  1.174  notes  that  the  use  of  PRA 
technology  should  be  increased  in  all  regulatory  matters,  but  it  should  be  done  in  a  manner  that 
complements  the  NRC's  deterministic  approach  and  supports  the  NRC's  traditional 
defense-in-depth  philosophy.  RG  1.174  also  notes  that  decisions  concerning  proposed  changes 
are  expected  to  be  reached  in  an  integrated  fashion,  considering  traditional  engineering  and  risk 
information,  and  may  be  based  on  qualitative  factors  as  well  as  quantitative  analyses  and 
information.  The  review  guidance  in  this  document  takes  these  concepts  into  consideration. 

RGl .  1 74  notes  that  HAs  in  the  high-risk  area  of  Region  I  are  generally  not  desired,  but  there  are 
certainly  examples  of  such  actions  in  plants  today,  e.g.,  the  PWR  ECCS  switchover  situation 
described  in  Generic  Issue  B-17.  Also,  there  may  be  extenuating  circumstances  in  which  the 
licensee  can  adequately  justify  a  modification  to  add  a  Region  I  HA,  e.g.,  if  the  change  is 
temporary  or  if  there  are  other  changes  that  lower  the  CDF.  Another  important  consideration  is 
whether  and  how  well  the  licensee  has  addressed  the  HFE  aspects  of  the  modification. 

The  results  of  the  different  elements  of  the  various  analyses  discussed  in  Sections  2,  3,  and  4  must 
be  considered  in  an  integrated  manner.  No  individual  analysis  is  sufficient  in  and  of  itself.  Thus, 
the  decision  will  not  be  driven  solely  by  the  numerical  results  of  the  PRA.  Each  type  of 
information  helps  in  building  an  overall  picture  of  the  implications  of  the  proposed  change  on 
risk.  The  PRA  has  an  important  role  in  putting  the  change  into  its  proper  context  as  it  impacts  the 
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plant  as  a  whole.  As  the  discussions  in  the  previous  section  indicate,  both  quantitative  and 
qualitative  arguments  may  be  brought  to  bear.  Though  the  different  pieces  of  evidence  used  to 
argue  that  the  principle  is  satisfied  may  not  be  combined  in  a  formal  way,  they  need  to  be  clearly 
documented.  The  proposed  change  should  be  given  increased  NRC  management  attention  when 
the  calculated  values  of  the  changes  in  the  risk  metrics  approach  the  criterion  levels  of  current, 
accepted  guidelines. 

The  main  factors  in  the  decision  process  are  discussed  here  first  and  then  supplementary  decision 
factors  are  listed  that  may  assist  when  the  decision  is  difficult  to  make. 

Main  Decision  Factors 

(1)  Change  in  CDF  -  One  consideration  is  the  value  of  ACDFn,o<i  or  the  increase  in  Core 
Damage  Frequency  due  to  the  modification,  as  well  as  the  ACDFha  or  the  increase  in  CDF 
due  to  failing  the  HA  in  question.  The  placement  of  these  values  into  the  regions  of 
Figure  2.1  can  also  be  considered.  In  many  cases,  the  ACDFha  will  be  notably  larger  than 
the  ACDFmod.  The  confidence  one  has  that  the  change  in  CDF  is  at  the  value  shown  by 
ACDF^od  is  partially  determined  by  the  results  of  the  human  factors  review  noted  in  #3 
below. 

(2)  Change  in  LERF  -  Another  consideration  is  A  LERF,  similar  to  CDF  in  #1  above. 

(3)  Time  and  Integrated  Risk  -  A  further  consideration  is  the  length  of  time  that  the  change 
will  be  in  place,  if  only  a  temporary  modification.  The  integrated  risk  over  time  (or  the 
ICCDP  and  ICLERP)  can  be  considered,  per  Section  2.4  above. 

(4)  Human  Factors  -  A  most  important  consideration  is  the  degree  of  confidence  that 
operators  can  perform  the  actions  required  for  the  modification  in  question.  This  is 
determined  by  the  aggregate  evaluation  in  Sections  3.2  through  3.12  of  the  Region  I 
review  guidance  and  Sections  4.2  through  4.4  of  the  Region  II  review  guidance. 

(5)  Deterministic  Criteria  -  Another  consideration  is  the  more  traditional  deterministic  review 
guidance  provided  in  Section  3.1  of  the  Region  I  review  guidance  and  Section  4.1  of  the 
Region  II  review  guidance. 

Supplemental  Decision  Factors 

Additional  factors  may  also  be  used,  as  appropriate,  to  determine  the  acceptability  of  a  change. 
These  include: 


The  cumulative  impact  of  previous  changes  and  the  trend  in  CDF  (the  licensee's 
risk  management  approach) 
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The  cumulative  impact  of  previous  changes  and  the  trend  in  LERF  (the  licensee's 
risk  management  approach) 

The  impact  of  the  proposed  change  on  operational  complexity,  burden  on  the 
operating  staff,  and  overall  safety  practices 

Plant-specific  performance  and  other  factors  (for  example,  siting  factors, 
inspection  findings,  performance  indicators,  and  operational  events),  and  Level  3 
PRA  information,  if  available 

The  benefit  of  the  change  in  relation  to  its  CDF/LERF  increase 

The  practicality  of  accomplishing  the  change  with  a  smaller  CDF/LERF  impact 

The  practicality  of  reducing  CDF/LERF  when  there  is  reason  to  believe  that  the 
baseline  CDF/LERF  are  above  the  guideline  values  (i.e.,  10-4  and  10-5  per  reactor 
year). 
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Component  -  An  individual  piece  of  equipment  such  as  a  pump,  valve,  or  vessel;  usually  part  of  a 
plant  system. 

Function  -  An  action  that  is  required  to  achieve  a  desired  goal.  Safety  functions  are  those 
functions  that  serve  to  ensure  higher-level  objectives  and  are  often  defined  in  terms  of  a  boundary 
or  entity  that  is  important  to  plant  integrity  and  the  prevention  of  the  release  of  radioactive 
materials.  A  typical  safety  function  is  "reactivity  control."  A  high-level  objective,  such  as 
preventing  the  release  of  radioactive  material  to  the  environment,  is  one  that  designers  strive  to 
achieve  through  the  design  of  the  plant  and  that  plant  operators  strive  to  achieve  through  proper 
operation  of  the  plant.  The  function  is  often  described  without  reference  to  specific  plant  systems 
and  components  or  the  level  of  human  and  machine  intervention  that  is  required  to  carry  out  this 
action.  Functions  are  often  accomplished  through  some  combination  of  lower-level  functions, 
such  as  "reactor  trip."  The  process  of  manipulating  lower-level  functions  to  satisfy  a  higher-level 
function  is  defined  here  as  a  control  function.  During  function  allocation  the  control  function  is 
assigned  to  human  and  machine  elements. 

Human-system  interface  (HSI)  -  The  means  through  which  personnel  interact  with  the  plant, 
including  the  alarms,  displays,  controls,  and  job  performance  aids.  Generically  this  includes 
maintenance,  test,  and  inspection  interfaces  as  well. 

Human  factors  -  A  body  of  scientific  facts  about  human  characteristics.  The  term  covers  all 
biomedical,  psychological,  and  psychosocial  considerations;  it  includes,  but  is  not  limited  to, 
principles  and  applications  in  the  areas  of  human  factors  engineering,  personnel  selection, 
training,  job  performance  aids,  and  human  performance  evaluation  (see  "Human  factors 
engineering"). 

Human  factors  engineering  (HFE)  -  The  application  of  knowledge  about  human  capabilities  and 
limitations  to  plant,  system,  and  equipment  design.  HFE  ensures  that  the  plant,  system,  or 
equipment  design,  human  tasks,  and  work  environment  are  compatible  with  the  sensory, 
perceptual,  cognitive,  and  physical  attributes  of  the  personnel  who  operate,  maintain,  and  support 
it  (see  "Human  factors"). 

Mockup  -  A  static  representation  of  an  HSI  (see  "Simulator"). 

Performance  criteria  -  The  criteria  against  which  measured  performance  is  compared  in  order  to 
judge  its  acceptability.  Approaches  to  the  establishment  of  performance  criteria  include: 

Requirement  Referenced  -  This  is  a  comparison  of  the  performance  of  the  integrated 
system  with  respect  to  an  accepted,  quantified,  performance  requirement.  For  many 
variables  a  requirement-referenced  approach  can  be  used;  i.e.,  requirements  for  plant. 
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system,  and  operator  performance  can  be  defined  through  engineering  analysis  as  part  of 
the  design  process.  Plant  parameters  governed  by  technical  specifications  and  time 
requirements  for  critical  operator  actions  are  examples  of  performance  measures  for  which 
a  requirement-referenced  criteria  can  be  determined.  For  performance  measures  where 
such  specific  requirement  referenced  criteria  cannot  be  used  alternative  criteria 
development  methods  must  be  used. 

Benchmark  Referenced  -  This  is  a  comparison  of  the  performance  of  the  integrated  system 
with  that  of  a  benchmark  system  which  is  predefined  as  acceptable  under  the  same 
•  conditions  or  equivalent  conditions.  Such  an  approach  is  typically  employed  when  no 
accepted  independent  performance  requirements  can  be  established.  Performance  is 
evaluated  through  comparisons  to  an  accepted  benchmark  rather  that  through  an  absolute 
measurement.  For  example,  the  evaluation  may  test  whether  the  plant  under  review  can  be 
operated  to  stay  within  a  level  of  operator  workload  not  exceeding  that  associated  with 
Plant  X.  Plant  X  is  identified  as  acceptable  for  reasons  such  as  its  acceptable  operating 
history  and  operators  report  their  workload  levels  to  be  acceptable.  In  this  case  the 
performance  measure  must  be  obtained  for  Plant  X  and  the  new  system,  under  similar 
operational  conditions,  and  then  compared.  In  the  establishment  of  benchmark-referenced 
criteria,  similar  test  conditions  should  be  established  for  the  benchmark  system  and  system 
under  evaluation. 

Normative  Referenced  -  Normative-referenced  comparison  is  similar  to  a  benchmark 
reference  comparison,  however,  the  performance  criterion  is  not  based  upon  a  single 
comparison  system,  it  is  based  upon  norms  established  for  the  performance  measure 
through  its  use  in  many  system  evaluations.  The  new  system  performs  as  compared  to  the 
norms  established  under  the  same  conditions  or  equivalent  conditions.  This  approach  can 
be  used  when  no  accepted  independent  performance  requirements  can  be  established,  but 
repeated  use  of  the  same  performance  measure  enables  the  development  of  performance 
norms  for  acceptable  and  unacceptable  systems. 

Expert-Judgement  Referenced  -  This  is  a  comparison  of  the  performance  of  the  integrated 
system  with  criteria  established  through  the  judgement  of  SMEs. 

Performance  shaping  factors  (PSFs)  -  Factors  that  influence  human  reliability  through  their 
effects  on  performance.  PSFs  include  factors  such  as  environmental  conditions,  HSI  design, 
procedures,  training,  and  supervision. 

Primary  tasks  -  Those  tasks  performed  by  the  operator  to  supervise  the  plant;  i.e.,  monitoring, 
detection,  situation  assessment,  response  planning,  and  response  implementation. 
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Risk-important  human  action  -  Actions  that  must  be  performed  successfully  by  operators  to 
ensure  plant  safety.  There  are  both  absolute  and  relative  criteria  for  defining  risk  important 
actions.  From  an  absolute  standpoint,  a  risk-important  action  is  one  whose  successful 
performance  is  needed  to  ensure  that  predefined  risk  criteria  are  met.  From  a  relative  standpoint, 
the  risk-  important  actions  constitute  the  most  risk-significant  human  identified. 

Safety-related  operator  action  -  A  manual  action  required  by  plant  emergency  procedures  that  is 
necessary  to  cause  a  safety-related  system  to  perform  its  safety-related  function  during  the  course 
of  any  Design  Basis  Event.  The  successful  performance  of  a  safety-related  operator  action  might 
require  that  discrete  manipulations  be  performed  in  a  specific  order. 

Secondary  tasks  -  Those  tasks  that  the  operator  must  perform  when  interfacing  with  the  plant, 
but  are  not  directed  to  the  primary  task.  Secondary  tasks  may  include:  navigating  through  and 
paging  displays,  searching  for  data,  choosing  between  multiple  ways  of  accomplishing  the  same 
task,  and  making  decisions  regarding  how  to  configure  the  interface. 

Simulator  -  A  facility  that  physically  represents  the  HSI  configuration  and  that  dynamically 
represents  the  operating  characteristics  and  responses  of  the  plant  in  real  time  (see  "Mockup"). 

Subject  Actions  -  the  operator  actions  that  are  being  modified  or  that  will  accomplish  an  actions 
previously  accomplished  by  automatic  systems 

System  -  An  integrated  collection  of  plant  components  and  control  elements  that  operate  alone  or 
with  other  plant  systems  to  perform  a  function. 

Task  -  A  group  of  activities  that  have  a  common  purpose,  often  occurring  in  temporal  proximity, 
and  that  utilize  the  same  displays  and  controls 

Testbed  -  The  representation  of  the  human-system  interface  and  the  process  model  used  in 
testing. 

Validation  -  The  process  by  which  the  integrated  system  (consisting  of  hardware,  software,  and 
personnel  elements)  is  evaluated  to  determine  whether  it  acceptably  supports  safe  operation  of  the 
plant. 

Validity  -  The  characteristics  of  the  methods  and  tools  used  in  the  validation  process.  See  the 
specific  uses  of  the  term:  construct  validity,  convergent  validity,  performance  representation 
validity,  statistical  conclusion  validity,  system  representation  validity,  and  test  design  validity. 

Verification  -  The  process  by  which  the  human-system  interface  design  is  evaluated  to  determine 
whether  it  acceptably  reflects  personnel  task  requirements  and  HFE  design  guidance. 
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Vigilance  -  The  degree  to  which  an  operator  is  alert. 

Workload  -  The  physical  and  cognitive  demands  placed  on  plant  personnel. 
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Generic  Risk-Important  Human  Actions 


This  attachment  contains  two  tables  of  generic  risk-important  HAs  for  BWRs  and  PWRs, 
respectively.  Each  table  is  further  divided  into  “Group  1 "  risk-important  HAs  and  “Group  2" 
potentially  risk-important  HAs.  To  facilitate  readability  of  the  tables,  the  names  of  common 
events  and  plant  systems  are  given  in  acronyms.  These  acronyms  are  defined  in  the  acronym  list 
on  page  xiii  of  this  report. 


Table  A.l  Generic  BWR  Risk-Important  Human  Actions 


Group  1:  BWR  Risk-Important  Human  Actions 

Human  Actions 

Description  and  Reasons  for  Risk-Importance 

Perform  Manual 
Depressurization 

On  selected  sequences,  such  as  station  blackout  (SBO),  manual  depressurization  is  required 
after  failure  of  high  pressure  injection  systems  to  allow  for  injection  with  low  pressure  systems. 

A  complicating  factor  is  that  some  procedures  initially  direct  the  operator  to  inhibit  ADS.  In 
some  PRAs  this  appears  in  cutsets  up  to  45  %  of  CDF.  Operators  typically  depressurize  by 
manually  operating  the  safety  relief  valves  (SRV). 

Vent  Containment 

On  a  transient  or  loss-of-coolant  accident  (LOCA)  sequence,  with  failure  of  the  PCS, 
containment  temperature  and  pressure  increase  and  must  be  controlled.  This  can  be  done  by 
containment  heat  removal,  suppression  pool  cooling,  or  containment  venting.  Actions  are 
required  to  remove  DH  before  adverse  conditions  are  reached  {e,g,^  high  Suppression  Pool 
temperature  leading  to  loss  of  ECCS  pumps). 

Align  Containment  or 
Suppression  Pool  Cooling 

Initiate  standby  liquid 
control  (SLC) 

Manual  initiation  of  SLC  is  needed  for  anticipated  transient  without  scram  (ATWS)  sequences. 

J 

Actions  During  Shutdown  | 

Almost  all  actions,  including  actuation  of  various  equipment,  are  done  manually  during 
shutdown.  The  operator’s  understanding  of  the  plant  configuration  is  necessary  for  the 
successful  manual  actions. 
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Human  Actions 

Group  2:  BWR  Potentially  Risk-Important  Human  Actions 

Description  and  Reasons  for  Risk-Importance 

Level  Control  in 

ATWS 

Effective  Rx  Vessel  level  manual  control  at  lower  than  normal  levels  (e.g.,  near  the  top  of  the 
active  fuel)  is  needed  during  an  ATWS  in  order  to  reduce  core  power. 

Align/Initiate 

Alternative  Injection 

During  loss  of  injection  and  loss  of  decay  heat  removal  (DHR)  events,  alternate  sources  of 
injection  must  be  manually  aligned  and  initiated.  Sources  may  include:  SW,  firewater,  CRD,  FW 
booster  pumps,  SP  cleanup,  and  a  few  plant  unique  systems. 

Recover  Ultimate  Heat 
Sink 

The  importance  of  recovery  of  SW  or  the  ultimate  heat  sink  depends  on  the  cooling  requirements 
of  mitigating  systems  and  the  time  available  before  they  fail  after  loss  of  cooling.  Recovery  is 
also  needed  to  allow  adequate  removal  of  DH  from  the  core  and  containment.  Some  of  these  are 
possible  from  the  main  CR,  while  others  require  local  operator  actions. 

Inhibit  ADS 

Some  IPEs  conclude  that  core  damage  will  occur  if  ADS  is  not  manually  inhibited  in  an  ATWS 
event  due  to  instabilities  created  at  low'  pressures. 

Mis-calibrate  Pressure 
Switches 

Various  pressure  switches  are  important  for  initiating  ECCS  and  operating  ECCS  permissives. 
Common  cause  mis-calibration  of  these  switches  can  affect  multiple  trains  of  safety  systems. 

Initiate  isolation 
condenser  (IC) 

For  the  early  design  BWR  plants,  this  action  is  important  during  accidents  to  ensure  the  continued 
viability  of  the  cooling  from  the  IC. 

Control  FW  Events 

The  actions  of  operators  to  properly  control  the  FW  system  as  an  injection  source  after  loss-of- 
instrument  air  can  be  important  in  transient  and  small  LOCA  sequences. 

Manually  Initiate  Core 
Spray  or  Other  Low 
Pressure  System 

Where  low  pressure  injection  systems  fail  to  automatically  actuate,  operator  action  to  manually  | 

initiate  them  becomes  necessary. 

Mis-calibrate  Low 
Pressure  Core  Spray 
Permissives 

Personnel  calibrate  the  permissive  needed  to  open  the  low  pressure  core  spray  and  LPCI  injection 
valves,  which  are  needed  in  several  sequences.  Miscalibrate  can  lead  to  failure  of  these  systems 
also  included  in  this  action  is  the  failure  to  restore  these  permissive  after  testing. 

Provide  Alternate 

Room  Cooling 

On  transient  sequences,  loss  of  HVAC  (due  to  various  reasons)  can  jeopardize  ECCS  equipment 
operation  causing  its  failure  and  loss  of  all  core  cooling.  The  operators  may  be  able  to  take 
actions  to  provide  alternate  room  cooling,  such  as  opening  doors  and  providing  blowers. 

Particular  important  rooms  arc  plant  sp^ific.  An  example  of  such  a  room  is  the  HPCl  room. 

Recover  Injection 

Systems 

This  action  relates  to  operator  recovery  of  failed  or  unavailable  injection  systems  and  can  be 
important  in  sequences  where  such  failures  arc  dominant. 

Shedding  of  DC  Load 
After  SBO 

While  often  not  well  modeled,  operator  action  to  shed  DC  loads  is  needed  to  extend  the  battery 
charge  in  order  to  operate  the  AC  independent  HPCI  and  RCIC  systems  and  to  keep  the  SRVs 
open  (to  allow  low  pressure  vessel  injection  from  a  diesel-driven  fire  pump).  This  extends  the 
time  to  core  damage  and  the  time  that  operators  have  for  re^'overy  of  AC  power. 

Similar  actions  to  those 
in  Group  I 

Actions  that  are  substantially  similar  (but  not  identical)  to  those  contained  in  Group  1  of  this 

Table  should  be  considered  as  potentially  risk-important,  if  they  involve  the  same  systems, 
components,  or  actions. 

Actions  involving  the 
most  risk-important 
systems 

Each  plant  has  one  or  two  systems  that  are  clearly  the  most  risk  significant  in  the  plant.  Human 
actions  associated  with  these  systems  should  be  considered  as  potentially  risk-important.  When 
modifications  associated  with  these  risk-important  systems  are  being  considered,  new  human 
actions  may  be  created  that  were  not  in  the  original  PRA,  but  that  will  be  risk-important. 
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Table  A.2  Generic  PWR  Risk-Important  Human  Actions 


Group  1:  PWR  Risk-Important  Human  Actions 

Human  Actions 

Description  and  Reasons  for  Risk-Importance 

1  Restore  Room 

Cooling 

In  scenarios  involving  loss  of  the  HVAC  system,  the  room  cooling  can  be  re-established  either  by 
recovery  of  HVAC  or  opening  doors  and  utilizing  portable  fans.  Particular  important  rooms  are 
plant  specific.  An  example  is  the  ECCS  rooms. 

Establish 

Recirculation 

In  LOCA  scenarios,  the  switching  of  ECCS  lines  from  the  injection  to  the  recirculation  mode  is  done 
manually.  Failure  to  do  so  or  human  error  involving  the  valve  alignment  is  important. 

Feed  and  Bleed 

Failure  of  the  operator  to  initiate  and  perform  the  feed  and  bleed  operalion'of  the  reactor  coolant 
system  as  a  last  resort  of  heat  removal  is  important.  j 

Provide  Water 

Supply  for  AFW 

Use  of  water  pumps  to  transfer  w  ater,  from  other  sources  of  make  up  to  the  CST  for  use  by  AFW,  is 
considered  important  in  scenarios  when  long  term  cooling  through  SG  is  needed.  ‘ 

Extend  Battery' 
Duration 

In  SBO  scenarios,  the  operator  can  extend  the  duration  of  the  availability  of  DC  by  load 
management  and  load  shedding  to  assure  the  availability  of  turbine  driven  AFW  pump  and  the 
necessary  instrumentation  and  control.  This  human  action  is  considered  important  in  most  PRAs. 

Recover  Emergency 
AC  or  Offsite  Power 

Some  losses  of  AC  power  can  be  recovered  by  either  manual  transfer  of  the  source  of  power,  or  , 

recovery  of  onsite  normal/emcrgency  AC  power.  This  recovery  action  is  considered  risk  significant 
in  many  PRAs. 

Action  During 
Shutdown 

Almost  all  actions,  including  actuation  of  various  equipment,  are  done  manually  during  shutdown.  , 
The  operator’s  understanding  of  the  plant  configuration  is  necessary  for  the  successful  manual 
actions. 

Group  2:  PWR  Potentially  Risk-Important  Human  Actions 

Human  Actions 

Description  and  Reasons  for  Risk-Importance 

Make  up  to  RWST 

In  some  Westinghouse  3-loop  plants,  credit  is  given  for  operator  action  to  provide  make  up  to  the 
RWST. 

Recover  of  RCP  Seal 
Cooling 

In  some  plants  there  are  means  of  alternate  cooling  for  RCP  seals  that  could  be  relied  on  in  scenarios 
involving  loss  of  CCW.  However,  the  alignment  of  the  system  is  manual  and  requires  operator 
action. 

Actions  in  Response 
to  ATWS 

Upon  failure  of  RPS,  the  operator  should  perform  several  actions,  starting  with  manual  scram, 
ensuring  turbine  trip,  and  most  importantly  initiating  boron  injection. 

Isolate  ISLOCA 

In  some  plants  there  is  a  capability  to  isolate  an  interfacing  systems  LOCA  through  manual  actions. 
Operator  failure  to  isolate  an  interfacing  LOCA  in  the  LPI  system  is  considered  risk  significant  in 
these  plants. 

Initiate  AFWS 

This  human  action  involves  failure  to  manually  start  the  motor  driven  AFW  pump,  given  auto  start 
failure,  and  failure  to  manually  start  the  lockcd-out  turbine  driven  AFW  pump. 

Similar  Actions  to 
Those  in  Group  I 

Actions  that  arc  substantially  similar  to  those  contained  in  Group  1  of  this  Table  should  be 
considered  as  potentially  risk-important,  if  they  involve  the  same  systems,  components,  or  actions. 

Actions  Involving 
the  Most  Risk- 
Important  Systems 

Each  plant  has  one  or  two  systems  that  arc  clearly  the  most  risk  significant  in  the  plant.  Human 
actions  associated  with  these  systems  should  be  considered  as  potentially  risk-important.  When 
modifications  associated  with  these  risk-important  systems,  arc  being  considered  new  human  actions 
may  be  created  that  were  not  in  the  original  PRA,  but  that  will  be  risk-important. 
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Example  Application  of  Screening  Process 


Application  to  the  NUREG-1150  Model 

This  example  uses  one  of  the  NUREG-1 150  plant  PRA  models,  a  BWR,  to  present  two  test  cases 
that  simulate  actual  plant  changes,  where  credited  operator  actions  would  replace  automatic 
equipment  actuations.  The  PRA  was  reviewed  to  determine  a  suitable  risk-importcmt  automatic 
component.  The  Emergency  Service  Water  (ESW)  valve  on  the  outlet  of  the  Emergency  Diesel 
Generator  (EDG)  heat  exchanger  was  selected.  Each  of  the  four  EDGs  has  an  ESW  valve  that 
opens  automatically  on  EDG  start  in  order  to  provide  cooling  water  to  the  diesel  (valves  A,  B,  C, 
and  D).  This  is  one  of  the  most  risk-important  individual  components  modeled  in  the  PRA. 

The  first  example  case  assumes  that  there  is  a  mechanical  problem  with  this  valve  on  one  EDG 
that  carmot  quickly  be  repaired.  Therefore,  the  licensee  has  requested  that  they  be  allowed  to 
credit  an  operator  with  opening  the  valve  mcmually  when  required.  The  second  example  case 
assumes  that  there  is  some  design  problem  common  to  all  four  valves  that  requires  operator  action 
to  open  them.  This  was  examined  both  as  a  possible  permanent  change  and  as  a  temporary 
change  with  different  times  of  implementation. 

Case  1  -  Valve  for  One  EDG 

This  example  case  assumes  that  an  operator  action  will  replace  the  automatic  opening  of  valve  B. 
The  failure  rate  of  the  valve  to  operate  automatically  is  lxE-3  failures  /demand.  This  will  be 
replaced  in  the  PRA  model  with  an  operator  action  that  has  an  appropriate  humem  error 
probability  (HEP).  The  NUREG-1 150  PRA  for  the  plcmt  was  examined  for  similar  operator 
actions  to  determine  an  appropriate  HEP  to  use.  Similar  actions  were  identified  with  HEPs  that 
varied  from  0.06  to  0.1 .  Screening  HEP  values  of  0.5  were  also  used  in  the  PRA  for  operator 
actions,  where  detailed  HEP  calculations  were  not  developed.  Thus,  this  example  was  run  twice, 
with  HEPs  of  both  0.06  and  0.1  to  bracket  the  reasonable  values  and  also  to  obtain  sensitivity 
results  that  would  illustrate  how  the  results  may  be  affected  by  uncertainty  in  the  HEP  values. 

Step  1  of  the  risk  screening  calculations  was  carried  out  as  follows.  First  ACDF^oj  was  calculated 
to  determine  if  the  modification  itself  was  risk  significant,  where; 

ACDF„,od  =  [new  CDF  (with  modifications  in-place)  -  current  baseline  CDF] 

This  value  w£is  computed  for  the  two  HEP  cases  and  the  resulting  ACDF^oj  values  fell  into 

Region  II .  The  ACDF^od  is  not  strongly  affected  by  changing  the  assumed  HEP  from 
0.06  to  0.1.  The  core  damage  frequency  will  increase  by  a  bit  less  than  5E-6/Rx-year,  due 
to  this  change  in  the  plant.  Therefore,  we  proceed  to  Step  2  and  calculate  ACDFha  as 
follows: 
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ACDFha  =  RAW,„,  (new  HA)  =  [CDF  with  new  HA  failed  -  new  CDF  (with  modifications  in-place)]. 

If  one  assumes  that  the  needed  operator  action  fails,  then  the  figure  shows  that  the  ACDFha  is  in 
Region  I.  The  increase  in  CDF  is  about  4E-5/Rx-year.  Again  there  is  little  sensitivity  in  the  CDF 
increase  value  to  the  assumption  of  whether  the  HEP  is  0.06  or  0. 1 .  Based  on  our  risk  screening 
criteria,  this  modification  falls  in  Region  I  and  would  receive  the  Region  I  review.  The  Region  I 
review  is  detailed  and  should  ensure  that  the  operator  action  to  open  the  valve  would  be 
successfully  performed  when  needed.  This  should  in  turn  provide  confidence  that  the  increase  in 
CDF  would  be  at  the  lower  ACDF^od  value  rather  than  at  the  higher  ACDFha  value. 
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Figure  B.l  Modifications  to  One  Valve 
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Figure  B.2  Integrated  Risk  (or  ICCDP),  Modiflcations  to  One  Valve 

One  can  also  evaluate  the  integrated  risk  (or  ICCDP)  due  to  a  temporary  change  to  one  ESW 
valve.  For  this  evaluation  the  time  that  the  change  will  be  in  place  (in  years)  is  multiplied  by  the 
ACDFn,,^.  This  illustration  used  times  of  1,  6,  and  12  months  (or  1/12,  0.5,  1 .0  years)  that  the 
change  would  be  in  place.  Figure  B.2  shows  the  results  for  HEP  values  of  0.06  and  0.1.  As  time 
increases,  the  integrated  risk  increases.  For  one  month  and  both  HEPs  postulated,  the  integrated 
risk  related  to  the  change  remains  in  Region  III.  This  would  tend  to  indicate  that  the  integrated 
risk  is  reasonable.  Thus,  for  a  one  month  temporary  change  no  human  factors  review  would  be 
required.  For  six  months  or  longer  and  both  HEP  values,  the  change  falls  into  Region  I  or 
Region  II.  This  would  indicate  a  need  to  perform  the  second  step  of  the  risk  screening  using 
ACDFha,  as  done  above. 

Case  2  -  Valves  for  All  Four  EDGs 

In  this  example,  operator  actions  are  needed  to  replace  the  automatic  opening  of  all  four  ESW 
valves  from  the  EDGs.  The  failure  rate  of  the  valves  to  operate  in  automatic  is  lxE-3  failures/- 
demand.  This  was  replaced  in  the  PRA  model  with  an  operator  action  with  HEPs  of  0.06  and  0. 1 
as  above. 
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Risk  screening  calculations  for  Step  1  for  ACDFn,o<i  were  conducted  and  the  results  plotted  in 
Figure  B.3. 


♦  HEP  =0.06 

1E-01  . 

■  HEP  =  0.1 
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Figure  B.3  Modiflcation  to  All  4  Valves 

The  ACDF^od  for  both  HEP  values  falls  in  the  Region  I  area  of  the  Figure.  The  value  is  not 
strongly  dependent  on  the  HEP  selected,  therefore  we  proceed  to  Step  2.  The  two  values  of 
ACDFha  are  above  lE-03,  which  is  significantly  into  Region  I.  Due  to  the  high  risk  if  the 
operator  actions  fail,  as  indicated  by  the  ACDFha  values,  this  proposed  change  may  be  considered 
as  disapproved  without  NRC  performing  the  detailed  Region  I  review.  However,  such  a  decision 
should  not  be  based  strictly  on  risk  considerations.  Other  factors,  as  noted  in  Section  5,  should  be 
considered.  If  the  NRC  decides  to  perform  the  detailed  Region  I  review,  it  is  important  in  order  to 
ensure  that  the  actions  can  be  successfully  and  reliably  performed.  The  Region  I  HFE  review 
should  support  this  assumption. 

Again,  one  can  evaluate  the  integrated  risk  (or  ICCDP)  due  to  a  temporary  change  to  all  four  ESW 
valves.  The  time  that  the  change  vvdll  be  in  place  is  multiplied  by  the  ACDF^noj.  This  example 
also  used  times  of  1,  6,  and  12  months.  Figure  B.4  below  shows  that  for  the  one  month  case  the 
change  is  in  Region  II,  indicating  that  the  Step  2  ACDFha  calculations  should  be  performed,  as 
above.  For  both  the  six  month  and  one  year  cases,  the  change  is  in  Region  I,  again  calling  for  the 
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Step  2  ACDFha  calculations.  Thus,  if  this  were  a  temporary  modification,  the  same  conclusions 
would  probably  be  reached  as  for  permanent  modification,  since  the  risk  values  calculated  for 
ACDFha  ^re  quite  high. 
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Figure  B.4  Integrated  Risk  for  Four  Valve  Case 
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An  Approach  to  the  Statistical  Analysis  of  Time  Data 


The  Region  1  Review  validation  methodology  yields  a  sample  of  time  data  that  can  be  compared 
with  the  time  criterion  (the  time  available  to  perform  the  action).  This  attachment  describes  a 
simple  method  for  making  this  comparison. 

The  approach  uses  the  variability  of  the  completion  times  observed  in  a  limited  number  of  test 
trials  to  estimate  proportion  of  crews  that  would  be  expected  to  complete  an  action  within  the  time 
criterion  (or,  equivalently,  the  time  within  which  an  acceptable  proportion  of  crews  would  be 
expected  to  complete  the  scenario).  It  is  assumed  that  if  a  large  number  of  crews  completed  a 
given  scenario  the  times  taken  to  complete  the  scenario  would  be  distributed  normally,  and  that 
the  times  actually  collected  in  test  trials  are  sampled  randomly  from  such  a  distribution.' 

Due  to  the  variability  of  task  performance,  only  probabilistic  statements  can  be  made  about  the 
adequacy  of  performance  relative  to  a  time  criterion,  e.g.,  that  there  is  a  high  probability  that  a 
task  will  be  completed  within  the  available  time. 

Relating  time  data  to  probabilities  involves  two  steps.  First  the  mean  and  standard  deviation  of 
the  sample  values  are  calculated;  then  tabled  values  of  probabilities  associated  with  standard 
normal  scores  are  used  to  estimate  quantities  of  interest.  The  process  is  described  in  detail,  with 
examples,  below. 

Step  1.  Calculate  the  mean  and  standard  deviation  of  the  observed  values 

First,  calculate  the  average  time  taken  to  perform  the  task,  i.e.,  the  arithmetic  mean  of  the 
observed  completion  times: 


T.vg  =  (T,+T2  +  ...Tn)/N 

Example:  Suppose  the  following  times  were  observed: 


Crew,  = 

2  minutes 

Crewj  = 

4  minutes 

Crewj  = 

6  minutes 

Crew4  = 

6  minutes 

'  The  assumption  of  normality  is  based  on  the  fact  that  the  actions  are  complex  and  influenced  by  mtiny  factors. 
However,  the  distribution  can  be  tested  for  normality,  i.e.,  that  the  data  falls  into  a  normal  distribution.  Common  statistical  tests 
are  available  for  conducting  this  test.  If  the  data  can  be  assumed  to  fall  into  a  normal  distribution,  then  the  data  can  be  used  in 
raw  form.  However,  task  time  data  are  often  positively  skewed.  In  that  case,  the  data  should  be  transformed  to  normal.  A  log 
transformation  will  usually  be  sufficient,  but,  there  are  other  appropriate  transformations  (such  as  a  root-square  and  inverse 
transformation)  that  can  be  applied  depending  on  the  characteristics  of  the  skew. 
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Crewj  =  7  minutes 

Tavg  ^  (2  +  4  +  6  +  6  +  7)/5 
=  25/5 
=  5 


Then  calculate  the  standard  deviation  (SD)  of  observed  values  from  the  average  using  the 
following  formula: 


SD 


{T.  -  T.J 

N  -  1 


Example: 


SD 


9+1  +1  +1  +4 


N 


5-1 


=  2 


With  this  information,  and  tabled  normal  probability  values  (see  Table  C.l),  either  one  of  two 
logically  equivalent  estimates  can  be  made.  One  can  estimate  the  proportion  of  crews  expected  to 
complete  an  action  within  a  specified  time  criterion  (2A),  or  one  can  estimate  the  time  within 
which  a  specified  proportion  of  crews  would  be  expected  to  complete  an  action  (2B). 

Step  2A.  The  proportion  of  crews  expected  to  complete  an  action  within  the  available  time 

To  estimate  the  proportion  of  crews  expected  to  complete  an  action  within  a  specified  time,  first 
express  the  criterion  time  in  terms  of  standard  deviation  units  from  the  sample  mean.  For 
example,  assume  for  example  that  10  minutes  are  available  to  complete  the  action.  The  number  of 
standard  deviations  between  the  mean  and  the  criterion  value  (the  z  score)  is  given  by  the 
following  formula: 


^  =  (T,-T,,g)/SD 

Example: 

z  =  (T,-T,,g)/SD 

=  (10-5)/2 
=  2.5 
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Next,  determine  the  probability  associated  with  the  criterion  time.  This  value  may  be  determined 
by  using  a  table  of  probability  values  for  portions  of  a  standard  normal  distribution.  Such  tables 
are  provided  in  most  introductory-level  textbooks  on  probability  and  statistics.  Selected  values 
from  such  a  table  are  given  in  Table  C.  1 . 

Based  on  the  table,  if  the  criterion  time  is  2.5  standard  deviation  units  above  the  sample  mean,  it 
is  expected  (based  on  the  sample  data  and  the  assumptions  described  above)  that  roughly  99.5% 
of  crews  would  complete  the  action  within  10  minutes. 

Step  2B.  The  time  within  which  a  given  proportion  of  crews  would  be  expected  to  complete  an 
action 

One  can  estimate  the  time  within  which  a  specified  proportion  of  crews  will  complete  an  action 
by  multiplying  the  tabled  z  value  for  the  chosen  probability  by  the  standard  deviation  based  on  the 
sample  and  adding  the  result  to  the  average  value  for  the  sample.  For  example,  to  estimate  the 
time  within  which  98%  of  crews  would  be  expected  complete  an  action,  first  determine  from  the 
table  the  z-score  associated  with  the  probability  value;  a  proportion  of  .98  corresponds  to  a  z-score 
of  about  2.  Then  multiply  this  value  by  the  standard  deviation  and  add  the  result  to  the  sample 
average; 

T98  ~  T,vg  +  (z9g  •  SD  ) 

=  5 +  (2-2) 

=  9  minutes 

Thus,  based  on  the  sample  data  and  the  assumptions  described  above,  98%  of  crews  would  be 
expected  to  complete  the  action  in  9  minutes  or  less. 
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Table  C.l  Selected  z-Scores  and  Normal  Probabilities 


z 

Proportion 

0.00 

0.5 

0.25 

0.6 

0.52 

0.7 

0.84 

0.8 

1.28 

0.9 

1.64 

0.95 

2.06 

0.98 

2.33 

0.99 

2.57 

0.995 

NOTE:  Since  the  mean  and  standard  deviation  are  estimated  from  very  few 
cases,  and  because  proportions  less  than  .90  are  not  of  practical  interest,  the 
values  shown  in  this  table  should  provide  sufficient  resolution  for  the  purposes  of 
this  analysis.  If  needed,  intermediate  values  can  be  obtained  from  tables  of  the 
area  under  the  normal  probability  curve,  which  can  be  found  in  any  text  on 
statistics,  probability,  or  quality  control. 
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